@cipherstash/stack 0.1.0 → 0.3.0

package/dist/{chunk-7XRPN2KX.js → chunk-TBAIVO6T.js}

@@ -43,7 +43,7 @@ var encryptConfigSchema = z.object({
   v: z.number(),
   tables: tablesSchema
 });
-var ProtectValue = class {
+var EncryptedField = class {
   valueName;
   castAsValue;
   constructor(valueName) {
@@ -51,20 +51,20 @@ var ProtectValue = class {
     this.castAsValue = "string";
   }
   /**
-   * Set or override the plaintext data type for this value.
+   * Set or override the plaintext data type for this field.
    *
    * By default all values are treated as `'string'`. Use this method to specify
    * a different type so the encryption layer knows how to encode the plaintext
    * before encrypting.
    *
    * @param castAs - The plaintext data type: `'string'`, `'number'`, `'boolean'`, `'date'`, `'bigint'`, or `'json'`.
-   * @returns This `ProtectValue` instance for method chaining.
+   * @returns This `EncryptedField` instance for method chaining.
    *
    * @example
    * ```typescript
-   * import { encryptedValue } from "@cipherstash/stack/schema"
+   * import { encryptedField } from "@cipherstash/stack/schema"
    *
-   * const age = encryptedValue("age").dataType("number")
+   * const age = encryptedField("age").dataType("number")
    * ```
    */
   dataType(castAs) {
@@ -81,7 +81,7 @@ var ProtectValue = class {
     return this.valueName;
   }
 };
-var ProtectColumn = class {
+var EncryptedColumn = class {
   columnName;
   castAsValue;
   indexesValue = {};
@@ -97,7 +97,7 @@ var ProtectColumn = class {
    * before encrypting.
    *
    * @param castAs - The plaintext data type: `'string'`, `'number'`, `'boolean'`, `'date'`, `'bigint'`, or `'json'`.
-   * @returns This `ProtectColumn` instance for method chaining.
+   * @returns This `EncryptedColumn` instance for method chaining.
    *
    * @example
    * ```typescript
@@ -116,7 +116,7 @@ var ProtectColumn = class {
    * ORE allows sorting, comparison, and range queries on encrypted data.
    * Use with `encryptQuery` and `queryType: 'orderAndRange'`.
    *
-   * @returns This `ProtectColumn` instance for method chaining.
+   * @returns This `EncryptedColumn` instance for method chaining.
    *
    * @example
    * ```typescript
@@ -139,7 +139,7 @@ var ProtectColumn = class {
    *
    * @param tokenFilters - Optional array of token filters (e.g. `[{ kind: 'downcase' }]`).
    *   When omitted, no token filters are applied.
-   * @returns This `ProtectColumn` instance for method chaining.
+   * @returns This `EncryptedColumn` instance for method chaining.
    *
    * @example
    * ```typescript
@@ -164,7 +164,7 @@ var ProtectColumn = class {
    *
    * @param opts - Optional match index configuration. Defaults to 3-character ngram
    *   tokenization with a downcase filter, `k=6`, `m=2048`, and `include_original=true`.
-   * @returns This `ProtectColumn` instance for method chaining.
+   * @returns This `EncryptedColumn` instance for method chaining.
    *
    * @example
    * ```typescript
@@ -209,7 +209,7 @@ var ProtectColumn = class {
    * the plaintext type: strings become selector queries, objects/arrays become
    * containment queries.
    *
-   * @returns This `ProtectColumn` instance for method chaining.
+   * @returns This `EncryptedColumn` instance for method chaining.
    *
    * @example
    * ```typescript
@@ -235,7 +235,7 @@ var ProtectColumn = class {
     return this.columnName;
   }
 };
-var ProtectTable = class {
+var EncryptedTable = class {
   constructor(tableName, columnBuilders) {
     this.tableName = tableName;
     this.columnBuilders = columnBuilders;
@@ -262,7 +262,7 @@ var ProtectTable = class {
   build() {
     const builtColumns = {};
     const processColumn = (builder, colName) => {
-      if (builder instanceof ProtectColumn) {
+      if (builder instanceof EncryptedColumn) {
         const builtColumn = builder.build();
         if (builtColumn.cast_as === "json" && builtColumn.indexes.ste_vec?.prefix === "enabled") {
           builtColumns[colName] = {
@@ -279,7 +279,7 @@ var ProtectTable = class {
         }
       } else {
         for (const [key, value] of Object.entries(builder)) {
-          if (value instanceof ProtectValue) {
+          if (value instanceof EncryptedField) {
             builtColumns[value.getName()] = value.build();
           } else {
             processColumn(value, key);
@@ -297,7 +297,10 @@ var ProtectTable = class {
   }
 };
 function encryptedTable(tableName, columns) {
-  const tableBuilder = new ProtectTable(tableName, columns);
+  const tableBuilder = new EncryptedTable(
+    tableName,
+    columns
+  );
   for (const [colName, colBuilder] of Object.entries(columns)) {
     ;
     tableBuilder[colName] = colBuilder;
@@ -305,10 +308,10 @@ function encryptedTable(tableName, columns) {
   return tableBuilder;
 }
 function encryptedColumn(columnName) {
-  return new ProtectColumn(columnName);
+  return new EncryptedColumn(columnName);
 }
-function encryptedValue(valueName) {
-  return new ProtectValue(valueName);
+function encryptedField(valueName) {
+  return new EncryptedField(valueName);
 }
 function buildEncryptConfig(...protectTables) {
   const config = {
@@ -325,12 +328,12 @@ function buildEncryptConfig(...protectTables) {
 export {
   castAsEnum,
   encryptConfigSchema,
-  ProtectValue,
-  ProtectColumn,
-  ProtectTable,
+  EncryptedField,
+  EncryptedColumn,
+  EncryptedTable,
   encryptedTable,
   encryptedColumn,
-  encryptedValue,
+  encryptedField,
   buildEncryptConfig
 };
-//# sourceMappingURL=chunk-7XRPN2KX.js.map
+//# sourceMappingURL=chunk-TBAIVO6T.js.map

package/dist/chunk-TBAIVO6T.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/schema/index.ts"],"sourcesContent":["import type { Encrypted } from '@/types'\nimport { z } from 'zod'\n\n// ------------------------\n// Zod schemas\n// ------------------------\n\n/**\n * Allowed cast types for CipherStash schema fields.\n *\n * **Possible values:**\n * - `\"bigint\"`\n * - `\"boolean\"`\n * - `\"date\"`\n * - `\"number\"`\n * - `\"string\"`\n * - `\"json\"`\n *\n * @remarks\n * This is a Zod enum used at runtime to validate schema definitions.\n * Use {@link CastAs} when typing your own code.\n *\n * @internal\n */\nexport const castAsEnum = z\n  .enum(['bigint', 'boolean', 'date', 'number', 'string', 'json'])\n  .default('string')\n\nconst tokenFilterSchema = z.object({\n  kind: z.literal('downcase'),\n})\n\nconst tokenizerSchema = z\n  .union([\n    z.object({\n      kind: z.literal('standard'),\n    }),\n    z.object({\n      kind: z.literal('ngram'),\n      token_length: z.number(),\n    }),\n  ])\n  .default({ kind: 'ngram', token_length: 3 })\n  .optional()\n\nconst oreIndexOptsSchema = z.object({})\n\nconst uniqueIndexOptsSchema = z.object({\n  token_filters: z.array(tokenFilterSchema).default([]).optional(),\n})\n\nconst matchIndexOptsSchema = z.object({\n  tokenizer: tokenizerSchema,\n  token_filters: z.array(tokenFilterSchema).default([]).optional(),\n  k: z.number().default(6).optional(),\n  m: z.number().default(2048).optional(),\n  include_original: z.boolean().default(false).optional(),\n})\n\nconst steVecIndexOptsSchema = z.object({\n  prefix: z.string(),\n})\n\nconst indexesSchema = z\n  .object({\n    ore: oreIndexOptsSchema.optional(),\n    unique: uniqueIndexOptsSchema.optional(),\n    match: matchIndexOptsSchema.optional(),\n    ste_vec: steVecIndexOptsSchema.optional(),\n  })\n  .default({})\n\nconst columnSchema = z\n  .object({\n    cast_as: castAsEnum,\n    indexes: indexesSchema,\n  })\n  .default({})\n\nconst tableSchema = z.record(columnSchema).default({})\n\nconst tablesSchema = z.record(tableSchema).default({})\n\n/** @internal */\nexport const encryptConfigSchema = z.object({\n  v: z.number(),\n  tables: tablesSchema,\n})\n\n// ------------------------\n// Type definitions\n// ------------------------\n\n/**\n * Type-safe alias for {@link castAsEnum} used to specify the *unencrypted* data type of a column or value.\n * This is important because once encrypted, all data is stored as binary blobs.\n *\n * @see {@link castAsEnum} for possible values.\n */\nexport type CastAs = z.infer<typeof castAsEnum>\nexport type TokenFilter = z.infer<typeof tokenFilterSchema>\nexport type MatchIndexOpts = z.infer<typeof matchIndexOptsSchema>\nexport type SteVecIndexOpts = z.infer<typeof steVecIndexOptsSchema>\nexport type UniqueIndexOpts = z.infer<typeof uniqueIndexOptsSchema>\nexport type OreIndexOpts = z.infer<typeof oreIndexOptsSchema>\nexport type ColumnSchema = z.infer<typeof columnSchema>\n\n/**\n * Shape of table columns: either top-level {@link EncryptedColumn} or nested\n * objects whose leaves are {@link EncryptedField}. Used with {@link encryptedTable}.\n */\nexport type EncryptedTableColumn = {\n  [key: string]:\n    | EncryptedColumn\n    | {\n        [key: string]:\n          | EncryptedField\n          | {\n              [key: string]:\n                | EncryptedField\n                | {\n                    [key: string]: EncryptedField\n                  }\n            }\n      }\n}\nexport type EncryptConfig = z.infer<typeof encryptConfigSchema>\n\n// ------------------------\n// Interface definitions\n// ------------------------\n\n/**\n * Builder for a nested encrypted field (encrypted but not searchable).\n * Create with {@link encryptedField}. Use inside nested objects in {@link encryptedTable};\n * supports `.dataType()` for plaintext type. No index methods (equality, orderAndRange, etc.).\n */\nexport class EncryptedField {\n  private valueName: string\n  private castAsValue: CastAs\n\n  constructor(valueName: string) {\n    this.valueName = valueName\n    this.castAsValue = 'string'\n  }\n\n  /**\n   * Set or override the plaintext data type for this field.\n   *\n   * By default all values are treated as `'string'`. Use this method to specify\n   * a different type so the encryption layer knows how to encode the plaintext\n   * before encrypting.\n   *\n   * @param castAs - The plaintext data type: `'string'`, `'number'`, `'boolean'`, `'date'`, `'bigint'`, or `'json'`.\n   * @returns This `EncryptedField` instance for method chaining.\n   *\n   * @example\n   * ```typescript\n   * import { encryptedField } from \"@cipherstash/stack/schema\"\n   *\n   * const age = encryptedField(\"age\").dataType(\"number\")\n   * ```\n   */\n  dataType(castAs: CastAs) {\n    this.castAsValue = castAs\n    return this\n  }\n\n  build() {\n    return {\n      cast_as: this.castAsValue,\n      indexes: {},\n    }\n  }\n\n  getName() {\n    return this.valueName\n  }\n}\n\nexport class EncryptedColumn {\n  private columnName: string\n  private castAsValue: CastAs\n  private indexesValue: {\n    ore?: OreIndexOpts\n    unique?: UniqueIndexOpts\n    match?: Required<MatchIndexOpts>\n    ste_vec?: SteVecIndexOpts\n  } = {}\n\n  constructor(columnName: string) {\n    this.columnName = columnName\n    this.castAsValue = 'string'\n  }\n\n  /**\n   * Set or override the plaintext data type for this column.\n   *\n   * By default all columns are treated as `'string'`. Use this method to specify\n   * a different type so the encryption layer knows how to encode the plaintext\n   * before encrypting.\n   *\n   * @param castAs - The plaintext data type: `'string'`, `'number'`, `'boolean'`, `'date'`, `'bigint'`, or `'json'`.\n   * @returns This `EncryptedColumn` instance for method chaining.\n   *\n   * @example\n   * ```typescript\n   * import { encryptedColumn } from \"@cipherstash/stack/schema\"\n   *\n   * const dateOfBirth = encryptedColumn(\"date_of_birth\").dataType(\"date\")\n   * ```\n   */\n  dataType(castAs: CastAs) {\n    this.castAsValue = castAs\n    return this\n  }\n\n  /**\n   * Enable Order-Revealing Encryption (ORE) indexing on this column.\n   *\n   * ORE allows sorting, comparison, and range queries on encrypted data.\n   * Use with `encryptQuery` and `queryType: 'orderAndRange'`.\n   *\n   * @returns This `EncryptedColumn` instance for method chaining.\n   *\n   * @example\n   * ```typescript\n   * import { encryptedTable, encryptedColumn } from \"@cipherstash/stack/schema\"\n   *\n   * const users = encryptedTable(\"users\", {\n   *   email: encryptedColumn(\"email\").orderAndRange(),\n   * })\n   * ```\n   */\n  orderAndRange() {\n    this.indexesValue.ore = {}\n    return this\n  }\n\n  /**\n   * Enable an exact-match (unique) index on this column.\n   *\n   * Allows equality queries on encrypted data. Use with `encryptQuery`\n   * and `queryType: 'equality'`.\n   *\n   * @param tokenFilters - Optional array of token filters (e.g. `[{ kind: 'downcase' }]`).\n   *   When omitted, no token filters are applied.\n   * @returns This `EncryptedColumn` instance for method chaining.\n   *\n   * @example\n   * ```typescript\n   * import { encryptedTable, encryptedColumn } from \"@cipherstash/stack/schema\"\n   *\n   * const users = encryptedTable(\"users\", {\n   *   email: encryptedColumn(\"email\").equality(),\n   * })\n   * ```\n   */\n  equality(tokenFilters?: TokenFilter[]) {\n    this.indexesValue.unique = {\n      token_filters: tokenFilters ?? [],\n    }\n    return this\n  }\n\n  /**\n   * Enable a full-text / fuzzy search (match) index on this column.\n   *\n   * Uses n-gram tokenization by default for substring and fuzzy matching.\n   * Use with `encryptQuery` and `queryType: 'freeTextSearch'`.\n   *\n   * @param opts - Optional match index configuration. Defaults to 3-character ngram\n   *   tokenization with a downcase filter, `k=6`, `m=2048`, and `include_original=true`.\n   * @returns This `EncryptedColumn` instance for method chaining.\n   *\n   * @example\n   * ```typescript\n   * import { encryptedTable, encryptedColumn } from \"@cipherstash/stack/schema\"\n   *\n   * const users = encryptedTable(\"users\", {\n   *   email: encryptedColumn(\"email\").freeTextSearch(),\n   * })\n   *\n   * // With custom options\n   * const posts = encryptedTable(\"posts\", {\n   *   body: encryptedColumn(\"body\").freeTextSearch({\n   *     tokenizer: { kind: \"ngram\", token_length: 4 },\n   *     k: 8,\n   *     m: 4096,\n   *   }),\n   * })\n   * ```\n   */\n  freeTextSearch(opts?: MatchIndexOpts) {\n    // Provide defaults\n    this.indexesValue.match = {\n      tokenizer: opts?.tokenizer ?? { kind: 'ngram', token_length: 3 },\n      token_filters: opts?.token_filters ?? [\n        {\n          kind: 'downcase',\n        },\n      ],\n      k: opts?.k ?? 6,\n      m: opts?.m ?? 2048,\n      include_original: opts?.include_original ?? true,\n    }\n    return this\n  }\n\n  /**\n   * Configure this column for searchable encrypted JSON (STE-Vec).\n   *\n   * Enables encrypted JSONPath selector queries (e.g. `'$.user.email'`) and\n   * containment queries (e.g. `{ role: 'admin' }`). Automatically sets the\n   * data type to `'json'`.\n   *\n   * When used with `encryptQuery`, the query operation is auto-inferred from\n   * the plaintext type: strings become selector queries, objects/arrays become\n   * containment queries.\n   *\n   * @returns This `EncryptedColumn` instance for method chaining.\n   *\n   * @example\n   * ```typescript\n   * import { encryptedTable, encryptedColumn } from \"@cipherstash/stack/schema\"\n   *\n   * const documents = encryptedTable(\"documents\", {\n   *   metadata: encryptedColumn(\"metadata\").searchableJson(),\n   * })\n   * ```\n   */\n  searchableJson() {\n    this.castAsValue = 'json'\n    this.indexesValue.ste_vec = { prefix: 'enabled' }\n    return this\n  }\n\n  build() {\n    return {\n      cast_as: this.castAsValue,\n      indexes: this.indexesValue,\n    }\n  }\n\n  getName() {\n    return this.columnName\n  }\n}\n\ninterface TableDefinition {\n  tableName: string\n  columns: Record<string, ColumnSchema>\n}\n\nexport class EncryptedTable<T extends EncryptedTableColumn> {\n  /** @internal Type-level brand so TypeScript can infer `T` from `EncryptedTable<T>`. */\n  declare readonly _columnType: T\n\n  constructor(\n    public readonly tableName: string,\n    private readonly columnBuilders: T,\n  ) {}\n\n  /**\n   * Compile this table schema into a `TableDefinition` used internally by the encryption client.\n   *\n   * Iterates over all column builders, calls `.build()` on each, and assembles\n   * the final `{ tableName, columns }` structure. For `searchableJson()` columns,\n   * the STE-Vec prefix is automatically set to `\"<tableName>/<columnName>\"`.\n   *\n   * @returns A `TableDefinition` containing the table name and built column configs.\n   *\n   * @example\n   * ```typescript\n   * const users = encryptedTable(\"users\", {\n   *   email: encryptedColumn(\"email\").equality(),\n   * })\n   *\n   * const definition = users.build()\n   * // { tableName: \"users\", columns: { email: { cast_as: \"string\", indexes: { unique: ... } } } }\n   * ```\n   */\n  build(): TableDefinition {\n    const builtColumns: Record<string, ColumnSchema> = {}\n\n    const processColumn = (\n      builder:\n        | EncryptedColumn\n        | Record<\n            string,\n            | EncryptedField\n            | Record<\n                string,\n                | EncryptedField\n                | Record<\n                    string,\n                    EncryptedField | Record<string, EncryptedField>\n                  >\n              >\n          >,\n      colName: string,\n    ) => {\n      if (builder instanceof EncryptedColumn) {\n        const builtColumn = builder.build()\n\n        // Hanlde building the ste_vec index for JSON columns so users don't have to pass the prefix.\n        if (\n          builtColumn.cast_as === 'json' &&\n          builtColumn.indexes.ste_vec?.prefix === 'enabled'\n        ) {\n          builtColumns[colName] = {\n            ...builtColumn,\n            indexes: {\n              ...builtColumn.indexes,\n              ste_vec: {\n                prefix: `${this.tableName}/${colName}`,\n              },\n            },\n          }\n        } else {\n          builtColumns[colName] = builtColumn\n        }\n      } else {\n        for (const [key, value] of Object.entries(builder)) {\n          if (value instanceof EncryptedField) {\n            builtColumns[value.getName()] = value.build()\n          } else {\n            processColumn(value, key)\n          }\n        }\n      }\n    }\n\n    for (const [colName, builder] of Object.entries(this.columnBuilders)) {\n      processColumn(builder, colName)\n    }\n\n    return {\n      tableName: this.tableName,\n      columns: builtColumns,\n    }\n  }\n}\n\n// ------------------------\n// Schema type inference helpers\n// ------------------------\n\n/**\n * Infer the plaintext (decrypted) type from a EncryptedTable schema.\n *\n * @example\n * ```typescript\n * const users = encryptedTable(\"users\", {\n *   email: encryptedColumn(\"email\").equality(),\n *   name: encryptedColumn(\"name\"),\n * })\n *\n * type UserPlaintext = InferPlaintext<typeof users>\n * // => { email: string; name: string }\n * ```\n */\nexport type InferPlaintext<T extends EncryptedTable<any>> =\n  T extends EncryptedTable<infer C>\n    ? {\n        [K in keyof C as C[K] extends EncryptedColumn | EncryptedField\n          ? K\n          : never]: string\n      }\n    : never\n\n/**\n * Infer the encrypted type from a EncryptedTable schema.\n *\n * @example\n * ```typescript\n * const users = encryptedTable(\"users\", {\n *   email: encryptedColumn(\"email\").equality(),\n * })\n *\n * type UserEncrypted = InferEncrypted<typeof users>\n * // => { email: Encrypted }\n * ```\n */\nexport type InferEncrypted<T extends EncryptedTable<any>> =\n  T extends EncryptedTable<infer C>\n    ? {\n        [K in keyof C as C[K] extends EncryptedColumn | EncryptedField\n          ? K\n          : never]: Encrypted\n      }\n    : never\n\n// ------------------------\n// User facing functions\n// ------------------------\n\n/**\n * Define an encrypted table schema.\n *\n * Creates a `EncryptedTable` that maps a database table name to a set of encrypted\n * column definitions. Pass the resulting object to `Encryption({ schemas: [...] })`\n * when initializing the client.\n *\n * The returned object is also a proxy that exposes each column builder directly,\n * so you can reference columns as `users.email` when calling `encrypt`, `decrypt`,\n * and `encryptQuery`.\n *\n * @param tableName - The name of the database table this schema represents.\n * @param columns - An object whose keys are logical column names and values are\n *   {@link EncryptedColumn} from {@link encryptedColumn}, or nested objects whose\n *   leaves are {@link EncryptedField} from {@link encryptedField}.\n * @returns A `EncryptedTable<T> & T` that can be used as both a schema definition\n *   and a column accessor.\n *\n * @example\n * ```typescript\n * import { encryptedTable, encryptedColumn } from \"@cipherstash/stack/schema\"\n *\n * const users = encryptedTable(\"users\", {\n *   email: encryptedColumn(\"email\").equality().freeTextSearch(),\n *   address: encryptedColumn(\"address\"),\n * })\n *\n * // Use as schema\n * const client = await Encryption({ schemas: [users] })\n *\n * // Use as column accessor\n * await client.encrypt(\"hello@example.com\", { column: users.email, table: users })\n * ```\n */\nexport function encryptedTable<T extends EncryptedTableColumn>(\n  tableName: string,\n  columns: T,\n): EncryptedTable<T> & T {\n  const tableBuilder = new EncryptedTable(\n    tableName,\n    columns,\n  ) as EncryptedTable<T> & T\n\n  for (const [colName, colBuilder] of Object.entries(columns)) {\n    ;(tableBuilder as EncryptedTableColumn)[colName] = colBuilder\n  }\n\n  return tableBuilder\n}\n\n/**\n * Define an encrypted column within a table schema.\n *\n * Creates a `EncryptedColumn` builder for the given column name. Chain index\n * methods (`.equality()`, `.freeTextSearch()`, `.orderAndRange()`,\n * `.searchableJson()`) and/or `.dataType()` to configure searchable encryption\n * and the plaintext data type.\n *\n * @param columnName - The name of the database column to encrypt.\n * @returns A new `EncryptedColumn` builder.\n *\n * @example\n * ```typescript\n * import { encryptedTable, encryptedColumn } from \"@cipherstash/stack/schema\"\n *\n * const users = encryptedTable(\"users\", {\n *   email: encryptedColumn(\"email\").equality().freeTextSearch().orderAndRange(),\n * })\n * ```\n */\nexport function encryptedColumn(columnName: string) {\n  return new EncryptedColumn(columnName)\n}\n\n/**\n * Define an encrypted field for use in nested or structured schemas.\n *\n * `encryptedField` is similar to {@link encryptedColumn} but creates an {@link EncryptedField}\n * for nested fields that are encrypted but not searchable (no indexes). Use `.dataType()`\n * to specify the plaintext type.\n *\n * @param valueName - The name of the value field.\n * @returns A new `EncryptedField` builder.\n *\n * @example\n * ```typescript\n * import { encryptedTable, encryptedField } from \"@cipherstash/stack/schema\"\n *\n * const orders = encryptedTable(\"orders\", {\n *   details: {\n *     amount: encryptedField(\"amount\").dataType(\"number\"),\n *     currency: encryptedField(\"currency\"),\n *   },\n * })\n * ```\n */\nexport function encryptedField(valueName: string) {\n  return new EncryptedField(valueName)\n}\n\n// ------------------------\n// Internal functions\n// ------------------------\n\n/** @internal */\nexport function buildEncryptConfig(\n  ...protectTables: Array<EncryptedTable<EncryptedTableColumn>>\n): EncryptConfig {\n  const config: EncryptConfig = {\n    v: 2,\n    tables: {},\n  }\n\n  for (const tb of protectTables) {\n    const tableDef = tb.build()\n    config.tables[tableDef.tableName] = tableDef.columns\n  }\n\n  return config\n}\n"],"mappings":";AACA,SAAS,SAAS;AAuBX,IAAM,aAAa,EACvB,KAAK,CAAC,UAAU,WAAW,QAAQ,UAAU,UAAU,MAAM,CAAC,EAC9D,QAAQ,QAAQ;AAEnB,IAAM,oBAAoB,EAAE,OAAO;AAAA,EACjC,MAAM,EAAE,QAAQ,UAAU;AAC5B,CAAC;AAED,IAAM,kBAAkB,EACrB,MAAM;AAAA,EACL,EAAE,OAAO;AAAA,IACP,MAAM,EAAE,QAAQ,UAAU;AAAA,EAC5B,CAAC;AAAA,EACD,EAAE,OAAO;AAAA,IACP,MAAM,EAAE,QAAQ,OAAO;AAAA,IACvB,cAAc,EAAE,OAAO;AAAA,EACzB,CAAC;AACH,CAAC,EACA,QAAQ,EAAE,MAAM,SAAS,cAAc,EAAE,CAAC,EAC1C,SAAS;AAEZ,IAAM,qBAAqB,EAAE,OAAO,CAAC,CAAC;AAEtC,IAAM,wBAAwB,EAAE,OAAO;AAAA,EACrC,eAAe,EAAE,MAAM,iBAAiB,EAAE,QAAQ,CAAC,CAAC,EAAE,SAAS;AACjE,CAAC;AAED,IAAM,uBAAuB,EAAE,OAAO;AAAA,EACpC,WAAW;AAAA,EACX,eAAe,EAAE,MAAM,iBAAiB,EAAE,QAAQ,CAAC,CAAC,EAAE,SAAS;AAAA,EAC/D,GAAG,EAAE,OAAO,EAAE,QAAQ,CAAC,EAAE,SAAS;AAAA,EAClC,GAAG,EAAE,OAAO,EAAE,QAAQ,IAAI,EAAE,SAAS;AAAA,EACrC,kBAAkB,EAAE,QAAQ,EAAE,QAAQ,KAAK,EAAE,SAAS;AACxD,CAAC;AAED,IAAM,wBAAwB,EAAE,OAAO;AAAA,EACrC,QAAQ,EAAE,OAAO;AACnB,CAAC;AAED,IAAM,gBAAgB,EACnB,OAAO;AAAA,EACN,KAAK,mBAAmB,SAAS;AAAA,EACjC,QAAQ,sBAAsB,SAAS;AAAA,EACvC,OAAO,qBAAqB,SAAS;AAAA,EACrC,SAAS,sBAAsB,SAAS;AAC1C,CAAC,EACA,QAAQ,CAAC,CAAC;AAEb,IAAM,eAAe,EAClB,OAAO;AAAA,EACN,SAAS;AAAA,EACT,SAAS;AACX,CAAC,EACA,QAAQ,CAAC,CAAC;AAEb,IAAM,cAAc,EAAE,OAAO,YAAY,EAAE,QAAQ,CAAC,CAAC;AAErD,IAAM,eAAe,EAAE,OAAO,WAAW,EAAE,QAAQ,CAAC,CAAC;AAG9C,IAAM,sBAAsB,EAAE,OAAO;AAAA,EAC1C,GAAG,EAAE,OAAO;AAAA,EACZ,QAAQ;AACV,CAAC;AAkDM,IAAM,iBAAN,MAAqB;AAAA,EAClB;AAAA,EACA;AAAA,EAER,YAAY,WAAmB;AAC7B,SAAK,YAAY;AACjB,SAAK,cAAc;AAAA,EACrB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAmBA,SAAS,QAAgB;AACvB,SAAK,cAAc;AACnB,WAAO;AAAA,EACT;AAAA,EAEA,QAAQ;AACN,WAAO;AAAA,MACL,SAAS,KAAK;AAAA,MACd,SAAS,CAAC;AAAA,IACZ;AAAA,EACF;AAAA,EAEA,UAAU;AACR,WAAO,KAAK;AAAA,EACd;AACF;AAEO,IAAM,kBAAN,MAAsB;AAAA,EACnB;AAAA,EACA;AAAA,EACA,eAKJ,CAAC;AAAA,EAEL,YAAY,YAAoB;AAC9B,SAAK,aAAa;AAClB,SAAK,cAAc;AAAA,EACrB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAmBA,SAAS,QAAgB;AACvB,SAAK,cAAc;AACnB,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAmBA,gBAAgB;AACd,SAAK,aAAa,MAAM,CAAC;AACzB,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAqBA,SAAS,cAA8B;AACrC,SAAK,aAAa,SAAS;AAAA,MACzB,eAAe,gBAAgB,CAAC;AAAA,IAClC;AACA,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EA8BA,eAAe,MAAuB;AAEpC,SAAK,aAAa,QAAQ;AAAA,MACxB,WAAW,MAAM,aAAa,EAAE,MAAM,SAAS,cAAc,EAAE;AAAA,MAC/D,eAAe,MAAM,iBAAiB;AAAA,QACpC;AAAA,UACE,MAAM;AAAA,QACR;AAAA,MACF;AAAA,MACA,GAAG,MAAM,KAAK;AAAA,MACd,GAAG,MAAM,KAAK;AAAA,MACd,kBAAkB,MAAM,oBAAoB;AAAA,IAC9C;AACA,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAwBA,iBAAiB;AACf,SAAK,cAAc;AACnB,SAAK,aAAa,UAAU,EAAE,QAAQ,UAAU;AAChD,WAAO;AAAA,EACT;AAAA,EAEA,QAAQ;AACN,WAAO;AAAA,MACL,SAAS,KAAK;AAAA,MACd,SAAS,KAAK;AAAA,IAChB;AAAA,EACF;AAAA,EAEA,UAAU;AACR,WAAO,KAAK;AAAA,EACd;AACF;AAOO,IAAM,iBAAN,MAAqD;AAAA,EAI1D,YACkB,WACC,gBACjB;AAFgB;AACC;AAAA,EAChB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAqBH,QAAyB;AACvB,UAAM,eAA6C,CAAC;AAEpD,UAAM,gBAAgB,CACpB,SAcA,YACG;AACH,UAAI,mBAAmB,iBAAiB;AACtC,cAAM,cAAc,QAAQ,MAAM;AAGlC,YACE,YAAY,YAAY,UACxB,YAAY,QAAQ,SAAS,WAAW,WACxC;AACA,uBAAa,OAAO,IAAI;AAAA,YACtB,GAAG;AAAA,YACH,SAAS;AAAA,cACP,GAAG,YAAY;AAAA,cACf,SAAS;AAAA,gBACP,QAAQ,GAAG,KAAK,SAAS,IAAI,OAAO;AAAA,cACtC;AAAA,YACF;AAAA,UACF;AAAA,QACF,OAAO;AACL,uBAAa,OAAO,IAAI;AAAA,QAC1B;AAAA,MACF,OAAO;AACL,mBAAW,CAAC,KAAK,KAAK,KAAK,OAAO,QAAQ,OAAO,GAAG;AAClD,cAAI,iBAAiB,gBAAgB;AACnC,yBAAa,MAAM,QAAQ,CAAC,IAAI,MAAM,MAAM;AAAA,UAC9C,OAAO;AACL,0BAAc,OAAO,GAAG;AAAA,UAC1B;AAAA,QACF;AAAA,MACF;AAAA,IACF;AAEA,eAAW,CAAC,SAAS,OAAO,KAAK,OAAO,QAAQ,KAAK,cAAc,GAAG;AACpE,oBAAc,SAAS,OAAO;AAAA,IAChC;AAEA,WAAO;AAAA,MACL,WAAW,KAAK;AAAA,MAChB,SAAS;AAAA,IACX;AAAA,EACF;AACF;AAyFO,SAAS,eACd,WACA,SACuB;AACvB,QAAM,eAAe,IAAI;AAAA,IACvB;AAAA,IACA;AAAA,EACF;AAEA,aAAW,CAAC,SAAS,UAAU,KAAK,OAAO,QAAQ,OAAO,GAAG;AAC3D;AAAC,IAAC,aAAsC,OAAO,IAAI;AAAA,EACrD;AAEA,SAAO;AACT;AAsBO,SAAS,gBAAgB,YAAoB;AAClD,SAAO,IAAI,gBAAgB,UAAU;AACvC;AAwBO,SAAS,eAAe,WAAmB;AAChD,SAAO,IAAI,eAAe,SAAS;AACrC;AAOO,SAAS,sBACX,eACY;AACf,QAAM,SAAwB;AAAA,IAC5B,GAAG;AAAA,IACH,QAAQ,CAAC;AAAA,EACX;AAEA,aAAW,MAAM,eAAe;AAC9B,UAAM,WAAW,GAAG,MAAM;AAC1B,WAAO,OAAO,SAAS,SAAS,IAAI,SAAS;AAAA,EAC/C;AAEA,SAAO;AACT;","names":[]}

package/dist/{client-BxJG56Ey.d.cts → client-Bf0Xw2xo.d.cts}

@@ -1,4 +1,4 @@
-import { j as EncryptedQueryResult, k as Client, S as ScalarQueryTerm, B as BulkDecryptedData, l as BulkDecryptPayload, D as Decrypted, m as BulkEncryptedData, n as BulkEncryptPayload, o as EncryptOptions, P as ProtectColumn, g as ProtectValue, d as ProtectTable, f as ProtectTableColumn, h as Encrypted, p as EncryptQueryOptions, Q as QueryTypeName, q as EncryptedReturnType, r as EncryptConfig, K as KeysetIdentifier } from './types-public-BCj1L4fi.cjs';
+import { l as EncryptedQueryResult, m as Client, S as ScalarQueryTerm, B as BulkDecryptedData, n as BulkDecryptPayload, D as Decrypted, o as BulkEncryptedData, p as BulkEncryptPayload, q as EncryptOptions, d as EncryptedColumn, h as EncryptedField, f as EncryptedTable, g as EncryptedTableColumn, j as Encrypted, r as EncryptQueryOptions, Q as QueryTypeName, s as EncryptedReturnType, t as EncryptConfig, K as KeysetIdentifier, i as EncryptedFromSchema } from './types-public-0CzBV45X.cjs';
 import { a as EncryptionError, d as LockContext } from './index-9-Ya3fDK.cjs';
 import { Result } from '@byteslice/result';
 import { JsPlaintext } from '@cipherstash/protect-ffi';
@@ -99,8 +99,8 @@ declare class BulkEncryptOperation extends EncryptionOperation<BulkEncryptedData
     getOperation(): {
         client: Client;
         plaintexts: BulkEncryptPayload;
-        column: ProtectColumn | ProtectValue;
-        table: ProtectTable<ProtectTableColumn>;
+        column: EncryptedColumn | EncryptedField;
+        table: EncryptedTable<EncryptedTableColumn>;
     };
 }
 declare class BulkEncryptOperationWithLockContext extends EncryptionOperation<BulkEncryptedData> {
@@ -114,13 +114,13 @@ declare class BulkEncryptModelsOperation<T extends Record<string, unknown>> exte
     private client;
     private models;
     private table;
-    constructor(client: Client, models: Decrypted<T>[], table: ProtectTable<ProtectTableColumn>);
+    constructor(client: Client, models: Record<string, unknown>[], table: EncryptedTable<EncryptedTableColumn>);
     withLockContext(lockContext: LockContext): BulkEncryptModelsOperationWithLockContext<T>;
     execute(): Promise<Result<T[], EncryptionError>>;
     getOperation(): {
         client: Client;
-        models: Decrypted<T>[];
-        table: ProtectTable<ProtectTableColumn>;
+        models: Record<string, unknown>[];
+        table: EncryptedTable<EncryptedTableColumn>;
     };
 }
 declare class BulkEncryptModelsOperationWithLockContext<T extends Record<string, unknown>> extends EncryptionOperation<T[]> {
@@ -182,8 +182,8 @@ declare class EncryptOperation extends EncryptionOperation<Encrypted> {
     getOperation(): {
         client: Client;
         plaintext: JsPlaintext | null;
-        column: ProtectColumn | ProtectValue;
-        table: ProtectTable<ProtectTableColumn>;
+        column: EncryptedColumn | EncryptedField;
+        table: EncryptedTable<EncryptedTableColumn>;
     };
 }
 declare class EncryptOperationWithLockContext extends EncryptionOperation<Encrypted> {
@@ -197,13 +197,13 @@ declare class EncryptModelOperation<T extends Record<string, unknown>> extends E
     private client;
     private model;
     private table;
-    constructor(client: Client, model: Decrypted<T>, table: ProtectTable<ProtectTableColumn>);
+    constructor(client: Client, model: Record<string, unknown>, table: EncryptedTable<EncryptedTableColumn>);
     withLockContext(lockContext: LockContext): EncryptModelOperationWithLockContext<T>;
     execute(): Promise<Result<T, EncryptionError>>;
     getOperation(): {
         client: Client;
-        model: Decrypted<T>;
-        table: ProtectTable<ProtectTableColumn>;
+        model: Record<string, unknown>;
+        table: EncryptedTable<EncryptedTableColumn>;
     };
 }
 declare class EncryptModelOperationWithLockContext<T extends Record<string, unknown>> extends EncryptionOperation<T> {
@@ -224,8 +224,8 @@ declare class EncryptQueryOperation extends EncryptionOperation<EncryptedQueryRe
     withLockContext(lockContext: LockContext): EncryptQueryOperationWithLockContext;
     execute(): Promise<Result<EncryptedQueryResult, EncryptionError>>;
     getOperation(): {
-        column: ProtectColumn;
-        table: ProtectTable<ProtectTableColumn>;
+        column: EncryptedColumn;
+        table: EncryptedTable<EncryptedTableColumn>;
         queryType?: QueryTypeName;
         returnType?: EncryptedReturnType;
         client: Client;
@@ -244,7 +244,7 @@ declare class EncryptQueryOperationWithLockContext extends EncryptionOperation<E
     execute(): Promise<Result<EncryptedQueryResult, EncryptionError>>;
 }
 
-/** The EncryptionClient is the main entry point for interacting with the CipherStash Protect.js library.
+/** The EncryptionClient is the main entry point for interacting with the CipherStash Encryption library.
  * It provides methods for encrypting and decrypting individual values, as well as models (objects) and bulk operations.
  *
  * The client must be initialized using the {@link Encryption} function before it can be used.
@@ -272,7 +272,7 @@ declare class EncryptionClient {
      * Encrypt a value - returns a promise which resolves to an encrypted value.
      *
      * @param plaintext - The plaintext value to be encrypted. Can be null.
-     * @param opts - Options specifying the column and table for encryption.
+     * @param opts - Options specifying the column (or nested field) and table for encryption. See {@link EncryptOptions}.
      * @returns An EncryptOperation that can be awaited or chained with additional methods.
      *
      * @example
@@ -335,8 +335,11 @@ declare class EncryptionClient {
      *  .withLockContext(lockContext)
      * ```
      *
+     * @see {@link EncryptOptions}
      * @see {@link Result}
      * @see {@link encryptedTable}
+     * @see {@link encryptedColumn}
+     * @see {@link encryptedField}
      * @see {@link LockContext}
      * @see {@link EncryptOperation}
      */
@@ -440,10 +443,16 @@ declare class EncryptionClient {
      * All other fields are passed through unchanged. Returns a thenable operation
      * that supports `.withLockContext()` for identity-aware encryption.
      *
+     * The return type is **schema-aware**: fields matching the table schema are
+     * typed as `Encrypted`, while other fields retain their original types. For
+     * best results, let TypeScript infer the type parameters from the arguments
+     * rather than providing an explicit type argument.
+     *
      * @param input - The model object with plaintext values to encrypt.
      * @param table - The table schema defining which fields to encrypt.
-     * @returns An `EncryptModelOperation<T>` that can be awaited to get a `Result`
-     *   containing the model with encrypted fields, or an `EncryptionError`.
+     * @returns An `EncryptModelOperation` that can be awaited to get a `Result`
+     *   containing the model with schema-defined fields typed as `Encrypted`,
+     *   or an `EncryptionError`.
      *
      * @example
      * ```typescript
@@ -458,7 +467,9 @@ declare class EncryptionClient {
      *
      * const client = await Encryption({ schemas: [usersSchema] })
      *
-     * const result = await client.encryptModel<User>(
+     * // Let TypeScript infer the return type from the schema.
+     * // result.data.email is typed as `Encrypted`, result.data.id stays `string`.
+     * const result = await client.encryptModel(
      *   { id: "user_123", email: "alice@example.com", createdAt: new Date() },
      *   usersSchema,
      * )
@@ -466,12 +477,12 @@ declare class EncryptionClient {
      * if (result.failure) {
      *   console.error(result.failure.message)
      * } else {
-     *   // result.data.id is unchanged, result.data.email is encrypted
-     *   console.log(result.data)
+     *   console.log(result.data.id)    // string
+     *   console.log(result.data.email) // Encrypted
      * }
      * ```
      */
-    encryptModel<T extends Record<string, unknown>>(input: Decrypted<T>, table: ProtectTable<ProtectTableColumn>): EncryptModelOperation<T>;
+    encryptModel<T extends Record<string, unknown>, S extends EncryptedTableColumn = EncryptedTableColumn>(input: T, table: EncryptedTable<S>): EncryptModelOperation<EncryptedFromSchema<T, S>>;
     /**
      * Decrypt a model (object) whose fields contain encrypted values.
      *
@@ -508,10 +519,15 @@ declare class EncryptionClient {
      * while still using a unique key for each encrypted value. Only fields
      * matching the table schema are encrypted; other fields pass through unchanged.
      *
+     * The return type is **schema-aware**: fields matching the table schema are
+     * typed as `Encrypted`, while other fields retain their original types. For
+     * best results, let TypeScript infer the type parameters from the arguments.
+     *
      * @param input - An array of model objects with plaintext values to encrypt.
      * @param table - The table schema defining which fields to encrypt.
-     * @returns A `BulkEncryptModelsOperation<T>` that can be awaited to get a `Result`
-     *   containing an array of models with encrypted fields, or an `EncryptionError`.
+     * @returns A `BulkEncryptModelsOperation` that can be awaited to get a `Result`
+     *   containing an array of models with schema-defined fields typed as `Encrypted`,
+     *   or an `EncryptionError`.
      *
      * @example
      * ```typescript
@@ -526,7 +542,9 @@ declare class EncryptionClient {
      *
      * const client = await Encryption({ schemas: [usersSchema] })
      *
-     * const result = await client.bulkEncryptModels<User>(
+     * // Let TypeScript infer the return type from the schema.
+     * // Each item's email is typed as `Encrypted`, id stays `string`.
+     * const result = await client.bulkEncryptModels(
      *   [
      *     { id: "1", email: "alice@example.com" },
      *     { id: "2", email: "bob@example.com" },
@@ -539,7 +557,7 @@ declare class EncryptionClient {
      * }
      * ```
      */
-    bulkEncryptModels<T extends Record<string, unknown>>(input: Array<Decrypted<T>>, table: ProtectTable<ProtectTableColumn>): BulkEncryptModelsOperation<T>;
+    bulkEncryptModels<T extends Record<string, unknown>, S extends EncryptedTableColumn = EncryptedTableColumn>(input: Array<T>, table: EncryptedTable<S>): BulkEncryptModelsOperation<EncryptedFromSchema<T, S>>;
     /**
      * Decrypt multiple models (objects) in a single bulk operation.
      *
@@ -577,7 +595,7 @@ declare class EncryptionClient {
      * your application data. Null plaintext values are preserved as null.
      *
      * @param plaintexts - An array of objects with `plaintext` (and optional `id`) fields.
-     * @param opts - Options specifying the target column and table for encryption.
+     * @param opts - Options specifying the target column (or nested {@link encryptedField}) and table. See {@link EncryptOptions}.
      * @returns A `BulkEncryptOperation` that can be awaited to get a `Result`
      *   containing an array of `{ id?, data: Encrypted }` objects, or an `EncryptionError`.
      *

package/dist/{client-DtGq9dJp.d.ts → client-Kfp8OsPB.d.ts}

@@ -1,4 +1,4 @@
-import { j as EncryptedQueryResult, k as Client, S as ScalarQueryTerm, B as BulkDecryptedData, l as BulkDecryptPayload, D as Decrypted, m as BulkEncryptedData, n as BulkEncryptPayload, o as EncryptOptions, P as ProtectColumn, g as ProtectValue, d as ProtectTable, f as ProtectTableColumn, h as Encrypted, p as EncryptQueryOptions, Q as QueryTypeName, q as EncryptedReturnType, r as EncryptConfig, K as KeysetIdentifier } from './types-public-BCj1L4fi.js';
+import { l as EncryptedQueryResult, m as Client, S as ScalarQueryTerm, B as BulkDecryptedData, n as BulkDecryptPayload, D as Decrypted, o as BulkEncryptedData, p as BulkEncryptPayload, q as EncryptOptions, d as EncryptedColumn, h as EncryptedField, f as EncryptedTable, g as EncryptedTableColumn, j as Encrypted, r as EncryptQueryOptions, Q as QueryTypeName, s as EncryptedReturnType, t as EncryptConfig, K as KeysetIdentifier, i as EncryptedFromSchema } from './types-public-0CzBV45X.js';
 import { a as EncryptionError, d as LockContext } from './index-9-Ya3fDK.js';
 import { Result } from '@byteslice/result';
 import { JsPlaintext } from '@cipherstash/protect-ffi';
@@ -99,8 +99,8 @@ declare class BulkEncryptOperation extends EncryptionOperation<BulkEncryptedData
     getOperation(): {
         client: Client;
         plaintexts: BulkEncryptPayload;
-        column: ProtectColumn | ProtectValue;
-        table: ProtectTable<ProtectTableColumn>;
+        column: EncryptedColumn | EncryptedField;
+        table: EncryptedTable<EncryptedTableColumn>;
     };
 }
 declare class BulkEncryptOperationWithLockContext extends EncryptionOperation<BulkEncryptedData> {
@@ -114,13 +114,13 @@ declare class BulkEncryptModelsOperation<T extends Record<string, unknown>> exte
     private client;
     private models;
     private table;
-    constructor(client: Client, models: Decrypted<T>[], table: ProtectTable<ProtectTableColumn>);
+    constructor(client: Client, models: Record<string, unknown>[], table: EncryptedTable<EncryptedTableColumn>);
     withLockContext(lockContext: LockContext): BulkEncryptModelsOperationWithLockContext<T>;
     execute(): Promise<Result<T[], EncryptionError>>;
     getOperation(): {
         client: Client;
-        models: Decrypted<T>[];
-        table: ProtectTable<ProtectTableColumn>;
+        models: Record<string, unknown>[];
+        table: EncryptedTable<EncryptedTableColumn>;
     };
 }
 declare class BulkEncryptModelsOperationWithLockContext<T extends Record<string, unknown>> extends EncryptionOperation<T[]> {
@@ -182,8 +182,8 @@ declare class EncryptOperation extends EncryptionOperation<Encrypted> {
     getOperation(): {
         client: Client;
         plaintext: JsPlaintext | null;
-        column: ProtectColumn | ProtectValue;
-        table: ProtectTable<ProtectTableColumn>;
+        column: EncryptedColumn | EncryptedField;
+        table: EncryptedTable<EncryptedTableColumn>;
     };
 }
 declare class EncryptOperationWithLockContext extends EncryptionOperation<Encrypted> {
@@ -197,13 +197,13 @@ declare class EncryptModelOperation<T extends Record<string, unknown>> extends E
     private client;
     private model;
     private table;
-    constructor(client: Client, model: Decrypted<T>, table: ProtectTable<ProtectTableColumn>);
+    constructor(client: Client, model: Record<string, unknown>, table: EncryptedTable<EncryptedTableColumn>);
     withLockContext(lockContext: LockContext): EncryptModelOperationWithLockContext<T>;
     execute(): Promise<Result<T, EncryptionError>>;
     getOperation(): {
         client: Client;
-        model: Decrypted<T>;
-        table: ProtectTable<ProtectTableColumn>;
+        model: Record<string, unknown>;
+        table: EncryptedTable<EncryptedTableColumn>;
     };
 }
 declare class EncryptModelOperationWithLockContext<T extends Record<string, unknown>> extends EncryptionOperation<T> {
@@ -224,8 +224,8 @@ declare class EncryptQueryOperation extends EncryptionOperation<EncryptedQueryRe
     withLockContext(lockContext: LockContext): EncryptQueryOperationWithLockContext;
     execute(): Promise<Result<EncryptedQueryResult, EncryptionError>>;
     getOperation(): {
-        column: ProtectColumn;
-        table: ProtectTable<ProtectTableColumn>;
+        column: EncryptedColumn;
+        table: EncryptedTable<EncryptedTableColumn>;
         queryType?: QueryTypeName;
         returnType?: EncryptedReturnType;
         client: Client;
@@ -244,7 +244,7 @@ declare class EncryptQueryOperationWithLockContext extends EncryptionOperation<E
     execute(): Promise<Result<EncryptedQueryResult, EncryptionError>>;
 }
 
-/** The EncryptionClient is the main entry point for interacting with the CipherStash Protect.js library.
+/** The EncryptionClient is the main entry point for interacting with the CipherStash Encryption library.
  * It provides methods for encrypting and decrypting individual values, as well as models (objects) and bulk operations.
  *
  * The client must be initialized using the {@link Encryption} function before it can be used.
@@ -272,7 +272,7 @@ declare class EncryptionClient {
      * Encrypt a value - returns a promise which resolves to an encrypted value.
      *
      * @param plaintext - The plaintext value to be encrypted. Can be null.
-     * @param opts - Options specifying the column and table for encryption.
+     * @param opts - Options specifying the column (or nested field) and table for encryption. See {@link EncryptOptions}.
      * @returns An EncryptOperation that can be awaited or chained with additional methods.
      *
      * @example
@@ -335,8 +335,11 @@ declare class EncryptionClient {
      *  .withLockContext(lockContext)
      * ```
      *
+     * @see {@link EncryptOptions}
      * @see {@link Result}
      * @see {@link encryptedTable}
+     * @see {@link encryptedColumn}
+     * @see {@link encryptedField}
      * @see {@link LockContext}
      * @see {@link EncryptOperation}
      */
@@ -440,10 +443,16 @@ declare class EncryptionClient {
      * All other fields are passed through unchanged. Returns a thenable operation
      * that supports `.withLockContext()` for identity-aware encryption.
      *
+     * The return type is **schema-aware**: fields matching the table schema are
+     * typed as `Encrypted`, while other fields retain their original types. For
+     * best results, let TypeScript infer the type parameters from the arguments
+     * rather than providing an explicit type argument.
+     *
      * @param input - The model object with plaintext values to encrypt.
      * @param table - The table schema defining which fields to encrypt.
-     * @returns An `EncryptModelOperation<T>` that can be awaited to get a `Result`
-     *   containing the model with encrypted fields, or an `EncryptionError`.
+     * @returns An `EncryptModelOperation` that can be awaited to get a `Result`
+     *   containing the model with schema-defined fields typed as `Encrypted`,
+     *   or an `EncryptionError`.
      *
      * @example
      * ```typescript
@@ -458,7 +467,9 @@ declare class EncryptionClient {
      *
      * const client = await Encryption({ schemas: [usersSchema] })
      *
-     * const result = await client.encryptModel<User>(
+     * // Let TypeScript infer the return type from the schema.
+     * // result.data.email is typed as `Encrypted`, result.data.id stays `string`.
+     * const result = await client.encryptModel(
      *   { id: "user_123", email: "alice@example.com", createdAt: new Date() },
      *   usersSchema,
      * )
@@ -466,12 +477,12 @@ declare class EncryptionClient {
      * if (result.failure) {
      *   console.error(result.failure.message)
      * } else {
-     *   // result.data.id is unchanged, result.data.email is encrypted
-     *   console.log(result.data)
+     *   console.log(result.data.id)    // string
+     *   console.log(result.data.email) // Encrypted
      * }
      * ```
      */
-    encryptModel<T extends Record<string, unknown>>(input: Decrypted<T>, table: ProtectTable<ProtectTableColumn>): EncryptModelOperation<T>;
+    encryptModel<T extends Record<string, unknown>, S extends EncryptedTableColumn = EncryptedTableColumn>(input: T, table: EncryptedTable<S>): EncryptModelOperation<EncryptedFromSchema<T, S>>;
     /**
      * Decrypt a model (object) whose fields contain encrypted values.
      *
@@ -508,10 +519,15 @@ declare class EncryptionClient {
      * while still using a unique key for each encrypted value. Only fields
      * matching the table schema are encrypted; other fields pass through unchanged.
      *
+     * The return type is **schema-aware**: fields matching the table schema are
+     * typed as `Encrypted`, while other fields retain their original types. For
+     * best results, let TypeScript infer the type parameters from the arguments.
+     *
      * @param input - An array of model objects with plaintext values to encrypt.
      * @param table - The table schema defining which fields to encrypt.
-     * @returns A `BulkEncryptModelsOperation<T>` that can be awaited to get a `Result`
-     *   containing an array of models with encrypted fields, or an `EncryptionError`.
+     * @returns A `BulkEncryptModelsOperation` that can be awaited to get a `Result`
+     *   containing an array of models with schema-defined fields typed as `Encrypted`,
+     *   or an `EncryptionError`.
      *
      * @example
      * ```typescript
@@ -526,7 +542,9 @@ declare class EncryptionClient {
      *
      * const client = await Encryption({ schemas: [usersSchema] })
      *
-     * const result = await client.bulkEncryptModels<User>(
+     * // Let TypeScript infer the return type from the schema.
+     * // Each item's email is typed as `Encrypted`, id stays `string`.
+     * const result = await client.bulkEncryptModels(
      *   [
      *     { id: "1", email: "alice@example.com" },
      *     { id: "2", email: "bob@example.com" },
@@ -539,7 +557,7 @@ declare class EncryptionClient {
      * }
      * ```
      */
-    bulkEncryptModels<T extends Record<string, unknown>>(input: Array<Decrypted<T>>, table: ProtectTable<ProtectTableColumn>): BulkEncryptModelsOperation<T>;
+    bulkEncryptModels<T extends Record<string, unknown>, S extends EncryptedTableColumn = EncryptedTableColumn>(input: Array<T>, table: EncryptedTable<S>): BulkEncryptModelsOperation<EncryptedFromSchema<T, S>>;
     /**
      * Decrypt multiple models (objects) in a single bulk operation.
      *
@@ -577,7 +595,7 @@ declare class EncryptionClient {
      * your application data. Null plaintext values are preserved as null.
      *
      * @param plaintexts - An array of objects with `plaintext` (and optional `id`) fields.
-     * @param opts - Options specifying the target column and table for encryption.
+     * @param opts - Options specifying the target column (or nested {@link encryptedField}) and table. See {@link EncryptOptions}.
      * @returns A `BulkEncryptOperation` that can be awaited to get a `Result`
      *   containing an array of `{ id?, data: Encrypted }` objects, or an `EncryptionError`.
      *