@cipherstash/stack 0.1.0 → 0.3.0

package/dist/{types-public-BCj1L4fi.d.ts → types-public-0CzBV45X.d.cts}

@@ -61,20 +61,26 @@ type ClientConfig = {
 };
 type AtLeastOneCsTable<T> = [T, ...T[]];
 type EncryptionClientConfig = {
-    schemas: AtLeastOneCsTable<ProtectTable<ProtectTableColumn>>;
+    schemas: AtLeastOneCsTable<EncryptedTable<EncryptedTableColumn>>;
     config?: ClientConfig;
     logging?: LoggingConfig;
 };
+/**
+ * Options for single-value encrypt operations.
+ * Use a column from your table schema (from {@link encryptedColumn}) or a nested
+ * field (from {@link encryptedField}) as the target for encryption.
+ */
 type EncryptOptions = {
-    column: ProtectColumn | ProtectValue;
-    table: ProtectTable<ProtectTableColumn>;
+    /** The column or nested field to encrypt into. From {@link EncryptedColumn} or {@link EncryptedField}. */
+    column: EncryptedColumn | EncryptedField;
+    table: EncryptedTable<EncryptedTableColumn>;
 };
 /** Format for encrypted query/search term return values */
 type EncryptedReturnType = 'eql' | 'composite-literal' | 'escaped-composite-literal';
 type SearchTerm = {
     value: JsPlaintext;
-    column: ProtectColumn;
-    table: ProtectTable<ProtectTableColumn>;
+    column: EncryptedColumn;
+    table: EncryptedTable<EncryptedTableColumn>;
     returnType?: EncryptedReturnType;
 };
 /** Encrypted search term result: EQL object or composite literal string */
@@ -92,6 +98,30 @@ type DecryptedFields<T> = {
 };
 /** Model with encrypted fields replaced by plaintext (decrypted) values */
 type Decrypted<T> = OtherFields<T> & DecryptedFields<T>;
+/**
+ * Maps a plaintext model type to its encrypted form using the table schema.
+ *
+ * Fields whose keys match columns defined in `S` become `Encrypted`;
+ * all other fields retain their original types from `T`.
+ *
+ * When `S` is the widened `EncryptedTableColumn` (e.g. when a user passes an
+ * explicit `<User>` type argument without specifying `S`), the type degrades
+ * gracefully to `T` — preserving backward compatibility.
+ *
+ * @typeParam T - The plaintext model type (e.g. `{ id: string; email: string }`)
+ * @typeParam S - The table schema column definition, inferred from the `table` argument
+ *
+ * @example
+ * ```typescript
+ * type User = { id: string; email: string }
+ * // With a schema that defines `email`:
+ * type Encrypted = EncryptedFromSchema<User, { email: EncryptedColumn }>
+ * // => { id: string; email: Encrypted }
+ * ```
+ */
+type EncryptedFromSchema<T, S extends EncryptedTableColumn> = {
+    [K in keyof T]: [K] extends [keyof S] ? [S[K & keyof S]] extends [EncryptedColumn | EncryptedField] ? Encrypted : T[K] : T[K];
+};
 type BulkEncryptPayload = Array<{
     id?: string;
     plaintext: JsPlaintext | null;
@@ -142,8 +172,8 @@ declare const queryTypes: {
 };
 /** @internal */
 type QueryTermBase = {
-    column: ProtectColumn;
-    table: ProtectTable<ProtectTableColumn>;
+    column: EncryptedColumn;
+    table: EncryptedTable<EncryptedTableColumn>;
     queryType?: QueryTypeName;
     returnType?: EncryptedReturnType;
 };
@@ -339,7 +369,6 @@ declare const columnSchema: z.ZodDefault<z.ZodObject<{
             prefix: string;
         }>>;
     }, "strip", z.ZodTypeAny, {
-        ore?: {} | undefined;
         match?: {
             token_filters?: {
                 kind: "downcase";
@@ -354,6 +383,7 @@ declare const columnSchema: z.ZodDefault<z.ZodObject<{
             m?: number | undefined;
             include_original?: boolean | undefined;
         } | undefined;
+        ore?: {} | undefined;
         unique?: {
             token_filters?: {
                 kind: "downcase";
@@ -363,7 +393,6 @@ declare const columnSchema: z.ZodDefault<z.ZodObject<{
             prefix: string;
         } | undefined;
     }, {
-        ore?: {} | undefined;
         match?: {
             token_filters?: {
                 kind: "downcase";
@@ -378,6 +407,7 @@ declare const columnSchema: z.ZodDefault<z.ZodObject<{
             m?: number | undefined;
             include_original?: boolean | undefined;
         } | undefined;
+        ore?: {} | undefined;
         unique?: {
             token_filters?: {
                 kind: "downcase";
@@ -390,7 +420,6 @@ declare const columnSchema: z.ZodDefault<z.ZodObject<{
 }, "strip", z.ZodTypeAny, {
     cast_as: "string" | "number" | "bigint" | "boolean" | "date" | "json";
     indexes: {
-        ore?: {} | undefined;
         match?: {
             token_filters?: {
                 kind: "downcase";
@@ -405,6 +434,7 @@ declare const columnSchema: z.ZodDefault<z.ZodObject<{
             m?: number | undefined;
             include_original?: boolean | undefined;
         } | undefined;
+        ore?: {} | undefined;
         unique?: {
             token_filters?: {
                 kind: "downcase";
@@ -417,7 +447,6 @@ declare const columnSchema: z.ZodDefault<z.ZodObject<{
 }, {
     cast_as?: "string" | "number" | "bigint" | "boolean" | "date" | "json" | undefined;
     indexes?: {
-        ore?: {} | undefined;
         match?: {
             token_filters?: {
                 kind: "downcase";
@@ -432,6 +461,7 @@ declare const columnSchema: z.ZodDefault<z.ZodObject<{
             m?: number | undefined;
             include_original?: boolean | undefined;
         } | undefined;
+        ore?: {} | undefined;
         unique?: {
             token_filters?: {
                 kind: "downcase";
@@ -528,7 +558,6 @@ declare const encryptConfigSchema: z.ZodObject<{
                 prefix: string;
             }>>;
         }, "strip", z.ZodTypeAny, {
-            ore?: {} | undefined;
             match?: {
                 token_filters?: {
                     kind: "downcase";
@@ -543,6 +572,7 @@ declare const encryptConfigSchema: z.ZodObject<{
                 m?: number | undefined;
                 include_original?: boolean | undefined;
             } | undefined;
+            ore?: {} | undefined;
             unique?: {
                 token_filters?: {
                     kind: "downcase";
@@ -552,7 +582,6 @@ declare const encryptConfigSchema: z.ZodObject<{
                 prefix: string;
             } | undefined;
         }, {
-            ore?: {} | undefined;
             match?: {
                 token_filters?: {
                     kind: "downcase";
@@ -567,6 +596,7 @@ declare const encryptConfigSchema: z.ZodObject<{
                 m?: number | undefined;
                 include_original?: boolean | undefined;
             } | undefined;
+            ore?: {} | undefined;
             unique?: {
                 token_filters?: {
                     kind: "downcase";
@@ -579,7 +609,6 @@ declare const encryptConfigSchema: z.ZodObject<{
     }, "strip", z.ZodTypeAny, {
         cast_as: "string" | "number" | "bigint" | "boolean" | "date" | "json";
         indexes: {
-            ore?: {} | undefined;
             match?: {
                 token_filters?: {
                     kind: "downcase";
@@ -594,6 +623,7 @@ declare const encryptConfigSchema: z.ZodObject<{
                 m?: number | undefined;
                 include_original?: boolean | undefined;
             } | undefined;
+            ore?: {} | undefined;
             unique?: {
                 token_filters?: {
                     kind: "downcase";
@@ -606,7 +636,6 @@ declare const encryptConfigSchema: z.ZodObject<{
     }, {
         cast_as?: "string" | "number" | "bigint" | "boolean" | "date" | "json" | undefined;
         indexes?: {
-            ore?: {} | undefined;
             match?: {
                 token_filters?: {
                     kind: "downcase";
@@ -621,6 +650,7 @@ declare const encryptConfigSchema: z.ZodObject<{
                 m?: number | undefined;
                 include_original?: boolean | undefined;
             } | undefined;
+            ore?: {} | undefined;
             unique?: {
                 token_filters?: {
                     kind: "downcase";
@@ -636,7 +666,6 @@ declare const encryptConfigSchema: z.ZodObject<{
     tables: Record<string, Record<string, {
         cast_as: "string" | "number" | "bigint" | "boolean" | "date" | "json";
         indexes: {
-            ore?: {} | undefined;
             match?: {
                 token_filters?: {
                     kind: "downcase";
@@ -651,6 +680,7 @@ declare const encryptConfigSchema: z.ZodObject<{
                 m?: number | undefined;
                 include_original?: boolean | undefined;
             } | undefined;
+            ore?: {} | undefined;
             unique?: {
                 token_filters?: {
                     kind: "downcase";
@@ -666,7 +696,6 @@ declare const encryptConfigSchema: z.ZodObject<{
     tables?: Record<string, Record<string, {
         cast_as?: "string" | "number" | "bigint" | "boolean" | "date" | "json" | undefined;
         indexes?: {
-            ore?: {} | undefined;
             match?: {
                 token_filters?: {
                     kind: "downcase";
@@ -681,6 +710,7 @@ declare const encryptConfigSchema: z.ZodObject<{
                 m?: number | undefined;
                 include_original?: boolean | undefined;
             } | undefined;
+            ore?: {} | undefined;
             unique?: {
                 token_filters?: {
                     kind: "downcase";
@@ -705,35 +735,44 @@ type SteVecIndexOpts = z.infer<typeof steVecIndexOptsSchema>;
 type UniqueIndexOpts = z.infer<typeof uniqueIndexOptsSchema>;
 type OreIndexOpts = z.infer<typeof oreIndexOptsSchema>;
 type ColumnSchema = z.infer<typeof columnSchema>;
-type ProtectTableColumn = {
-    [key: string]: ProtectColumn | {
-        [key: string]: ProtectValue | {
-            [key: string]: ProtectValue | {
-                [key: string]: ProtectValue;
+/**
+ * Shape of table columns: either top-level {@link EncryptedColumn} or nested
+ * objects whose leaves are {@link EncryptedField}. Used with {@link encryptedTable}.
+ */
+type EncryptedTableColumn = {
+    [key: string]: EncryptedColumn | {
+        [key: string]: EncryptedField | {
+            [key: string]: EncryptedField | {
+                [key: string]: EncryptedField;
             };
         };
     };
 };
 type EncryptConfig = z.infer<typeof encryptConfigSchema>;
-declare class ProtectValue {
+/**
+ * Builder for a nested encrypted field (encrypted but not searchable).
+ * Create with {@link encryptedField}. Use inside nested objects in {@link encryptedTable};
+ * supports `.dataType()` for plaintext type. No index methods (equality, orderAndRange, etc.).
+ */
+declare class EncryptedField {
     private valueName;
     private castAsValue;
     constructor(valueName: string);
     /**
-     * Set or override the plaintext data type for this value.
+     * Set or override the plaintext data type for this field.
      *
      * By default all values are treated as `'string'`. Use this method to specify
      * a different type so the encryption layer knows how to encode the plaintext
      * before encrypting.
      *
      * @param castAs - The plaintext data type: `'string'`, `'number'`, `'boolean'`, `'date'`, `'bigint'`, or `'json'`.
-     * @returns This `ProtectValue` instance for method chaining.
+     * @returns This `EncryptedField` instance for method chaining.
      *
      * @example
      * ```typescript
-     * import { encryptedValue } from "@cipherstash/stack/schema"
+     * import { encryptedField } from "@cipherstash/stack/schema"
      *
-     * const age = encryptedValue("age").dataType("number")
+     * const age = encryptedField("age").dataType("number")
      * ```
      */
     dataType(castAs: CastAs): this;
@@ -743,7 +782,7 @@ declare class ProtectValue {
     };
     getName(): string;
 }
-declare class ProtectColumn {
+declare class EncryptedColumn {
     private columnName;
     private castAsValue;
     private indexesValue;
@@ -756,7 +795,7 @@ declare class ProtectColumn {
      * before encrypting.
      *
      * @param castAs - The plaintext data type: `'string'`, `'number'`, `'boolean'`, `'date'`, `'bigint'`, or `'json'`.
-     * @returns This `ProtectColumn` instance for method chaining.
+     * @returns This `EncryptedColumn` instance for method chaining.
      *
      * @example
      * ```typescript
@@ -772,7 +811,7 @@ declare class ProtectColumn {
      * ORE allows sorting, comparison, and range queries on encrypted data.
      * Use with `encryptQuery` and `queryType: 'orderAndRange'`.
      *
-     * @returns This `ProtectColumn` instance for method chaining.
+     * @returns This `EncryptedColumn` instance for method chaining.
      *
      * @example
      * ```typescript
@@ -792,7 +831,7 @@ declare class ProtectColumn {
      *
      * @param tokenFilters - Optional array of token filters (e.g. `[{ kind: 'downcase' }]`).
      *   When omitted, no token filters are applied.
-     * @returns This `ProtectColumn` instance for method chaining.
+     * @returns This `EncryptedColumn` instance for method chaining.
      *
      * @example
      * ```typescript
@@ -812,7 +851,7 @@ declare class ProtectColumn {
      *
      * @param opts - Optional match index configuration. Defaults to 3-character ngram
      *   tokenization with a downcase filter, `k=6`, `m=2048`, and `include_original=true`.
-     * @returns This `ProtectColumn` instance for method chaining.
+     * @returns This `EncryptedColumn` instance for method chaining.
      *
      * @example
      * ```typescript
@@ -844,7 +883,7 @@ declare class ProtectColumn {
      * the plaintext type: strings become selector queries, objects/arrays become
      * containment queries.
      *
-     * @returns This `ProtectColumn` instance for method chaining.
+     * @returns This `EncryptedColumn` instance for method chaining.
      *
      * @example
      * ```typescript
@@ -871,9 +910,11 @@ interface TableDefinition {
     tableName: string;
     columns: Record<string, ColumnSchema>;
 }
-declare class ProtectTable<T extends ProtectTableColumn> {
+declare class EncryptedTable<T extends EncryptedTableColumn> {
     readonly tableName: string;
     private readonly columnBuilders;
+    /** @internal Type-level brand so TypeScript can infer `T` from `EncryptedTable<T>`. */
+    readonly _columnType: T;
     constructor(tableName: string, columnBuilders: T);
     /**
      * Compile this table schema into a `TableDefinition` used internally by the encryption client.
@@ -897,7 +938,7 @@ declare class ProtectTable<T extends ProtectTableColumn> {
     build(): TableDefinition;
 }
 /**
- * Infer the plaintext (decrypted) type from a ProtectTable schema.
+ * Infer the plaintext (decrypted) type from a EncryptedTable schema.
  *
  * @example
  * ```typescript
@@ -910,11 +951,11 @@ declare class ProtectTable<T extends ProtectTableColumn> {
  * // => { email: string; name: string }
  * ```
  */
-type InferPlaintext<T extends ProtectTable<any>> = T extends ProtectTable<infer C> ? {
-    [K in keyof C as C[K] extends ProtectColumn | ProtectValue ? K : never]: string;
+type InferPlaintext<T extends EncryptedTable<any>> = T extends EncryptedTable<infer C> ? {
+    [K in keyof C as C[K] extends EncryptedColumn | EncryptedField ? K : never]: string;
 } : never;
 /**
- * Infer the encrypted type from a ProtectTable schema.
+ * Infer the encrypted type from a EncryptedTable schema.
  *
  * @example
  * ```typescript
@@ -926,13 +967,13 @@ type InferPlaintext<T extends ProtectTable<any>> = T extends ProtectTable<infer
  * // => { email: Encrypted }
  * ```
  */
-type InferEncrypted<T extends ProtectTable<any>> = T extends ProtectTable<infer C> ? {
-    [K in keyof C as C[K] extends ProtectColumn | ProtectValue ? K : never]: Encrypted;
+type InferEncrypted<T extends EncryptedTable<any>> = T extends EncryptedTable<infer C> ? {
+    [K in keyof C as C[K] extends EncryptedColumn | EncryptedField ? K : never]: Encrypted;
 } : never;
 /**
  * Define an encrypted table schema.
  *
- * Creates a `ProtectTable` that maps a database table name to a set of encrypted
+ * Creates a `EncryptedTable` that maps a database table name to a set of encrypted
  * column definitions. Pass the resulting object to `Encryption({ schemas: [...] })`
  * when initializing the client.
  *
@@ -942,8 +983,9 @@ type InferEncrypted<T extends ProtectTable<any>> = T extends ProtectTable<infer
  *
  * @param tableName - The name of the database table this schema represents.
  * @param columns - An object whose keys are logical column names and values are
- *   `ProtectColumn` instances created with {@link encryptedColumn}.
- * @returns A `ProtectTable<T> & T` that can be used as both a schema definition
+ *   {@link EncryptedColumn} from {@link encryptedColumn}, or nested objects whose
+ *   leaves are {@link EncryptedField} from {@link encryptedField}.
+ * @returns A `EncryptedTable<T> & T` that can be used as both a schema definition
  *   and a column accessor.
  *
  * @example
@@ -962,17 +1004,17 @@ type InferEncrypted<T extends ProtectTable<any>> = T extends ProtectTable<infer
  * await client.encrypt("hello@example.com", { column: users.email, table: users })
  * ```
  */
-declare function encryptedTable<T extends ProtectTableColumn>(tableName: string, columns: T): ProtectTable<T> & T;
+declare function encryptedTable<T extends EncryptedTableColumn>(tableName: string, columns: T): EncryptedTable<T> & T;
 /**
  * Define an encrypted column within a table schema.
  *
- * Creates a `ProtectColumn` builder for the given column name. Chain index
+ * Creates a `EncryptedColumn` builder for the given column name. Chain index
  * methods (`.equality()`, `.freeTextSearch()`, `.orderAndRange()`,
  * `.searchableJson()`) and/or `.dataType()` to configure searchable encryption
  * and the plaintext data type.
  *
  * @param columnName - The name of the database column to encrypt.
- * @returns A new `ProtectColumn` builder.
+ * @returns A new `EncryptedColumn` builder.
  *
  * @example
  * ```typescript
@@ -983,31 +1025,31 @@ declare function encryptedTable<T extends ProtectTableColumn>(tableName: string,
  * })
  * ```
  */
-declare function encryptedColumn(columnName: string): ProtectColumn;
+declare function encryptedColumn(columnName: string): EncryptedColumn;
 /**
- * Define an encrypted value for use in nested or structured schemas.
+ * Define an encrypted field for use in nested or structured schemas.
  *
- * `encryptedValue` is similar to {@link encryptedColumn} but creates a `ProtectValue`
- * intended for nested fields within a table schema. It supports `.dataType()`
- * for specifying the plaintext type.
+ * `encryptedField` is similar to {@link encryptedColumn} but creates an {@link EncryptedField}
+ * for nested fields that are encrypted but not searchable (no indexes). Use `.dataType()`
+ * to specify the plaintext type.
  *
  * @param valueName - The name of the value field.
- * @returns A new `ProtectValue` builder.
+ * @returns A new `EncryptedField` builder.
  *
  * @example
  * ```typescript
- * import { encryptedTable, encryptedValue } from "@cipherstash/stack/schema"
+ * import { encryptedTable, encryptedField } from "@cipherstash/stack/schema"
  *
  * const orders = encryptedTable("orders", {
  *   details: {
- *     amount: encryptedValue("amount").dataType("number"),
- *     currency: encryptedValue("currency"),
+ *     amount: encryptedField("amount").dataType("number"),
+ *     currency: encryptedField("currency"),
  *   },
  * })
  * ```
  */
-declare function encryptedValue(valueName: string): ProtectValue;
+declare function encryptedField(valueName: string): EncryptedField;
 /** @internal */
-declare function buildEncryptConfig(...protectTables: Array<ProtectTable<ProtectTableColumn>>): EncryptConfig;
+declare function buildEncryptConfig(...protectTables: Array<EncryptedTable<EncryptedTableColumn>>): EncryptConfig;
 
-export { type EncryptedSearchTerm as A, type BulkDecryptedData as B, type CastAs as C, type Decrypted as D, type EncryptionClientConfig as E, type EncryptedFields as F, type OtherFields as G, type DecryptedFields as H, type InferPlaintext as I, type DecryptionResult as J, type KeysetIdentifier as K, type LoggingConfig as L, type MatchIndexOpts as M, queryTypes as N, type OreIndexOpts as O, ProtectColumn as P, type QueryTypeName as Q, type ScalarQueryTerm as S, type TokenFilter as T, type UniqueIndexOpts as U, encryptedColumn as a, encryptedValue as b, type InferEncrypted as c, ProtectTable as d, encryptedTable as e, type ProtectTableColumn as f, ProtectValue as g, type Encrypted as h, type EncryptedValue as i, type EncryptedQueryResult as j, type Client as k, type BulkDecryptPayload as l, type BulkEncryptedData as m, type BulkEncryptPayload as n, type EncryptOptions as o, type EncryptQueryOptions as p, type EncryptedReturnType as q, type EncryptConfig as r, castAsEnum as s, encryptConfigSchema as t, type SteVecIndexOpts as u, type ColumnSchema as v, buildEncryptConfig as w, type EncryptPayload as x, type ClientConfig as y, type SearchTerm as z };
+export { type ClientConfig as A, type BulkDecryptedData as B, type CastAs as C, type Decrypted as D, type EncryptionClientConfig as E, type SearchTerm as F, type EncryptedSearchTerm as G, type EncryptedFields as H, type InferPlaintext as I, type OtherFields as J, type KeysetIdentifier as K, type DecryptedFields as L, type MatchIndexOpts as M, type DecryptionResult as N, type OreIndexOpts as O, type LoggingConfig as P, type QueryTypeName as Q, queryTypes as R, type ScalarQueryTerm as S, type TokenFilter as T, type UniqueIndexOpts as U, encryptedColumn as a, encryptedField as b, type InferEncrypted as c, EncryptedColumn as d, encryptedTable as e, EncryptedTable as f, type EncryptedTableColumn as g, EncryptedField as h, type EncryptedFromSchema as i, type Encrypted as j, type EncryptedValue as k, type EncryptedQueryResult as l, type Client as m, type BulkDecryptPayload as n, type BulkEncryptedData as o, type BulkEncryptPayload as p, type EncryptOptions as q, type EncryptQueryOptions as r, type EncryptedReturnType as s, type EncryptConfig as t, castAsEnum as u, encryptConfigSchema as v, type SteVecIndexOpts as w, type ColumnSchema as x, buildEncryptConfig as y, type EncryptPayload as z };