@cipherstash/stack 0.1.0

package/dist/drizzle/index.cjs

@@ -0,0 +1,1528 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc2) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc2 = __getOwnPropDesc(from, key)) || desc2.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/drizzle/index.ts
+var drizzle_exports = {};
+__export(drizzle_exports, {
+  EncryptionConfigError: () => EncryptionConfigError,
+  EncryptionOperatorError: () => EncryptionOperatorError,
+  createEncryptionOperators: () => createEncryptionOperators,
+  encryptedType: () => encryptedType,
+  extractEncryptionSchema: () => extractEncryptionSchema,
+  getEncryptedColumnConfig: () => getEncryptedColumnConfig
+});
+module.exports = __toCommonJS(drizzle_exports);
+var import_pg_core = require("drizzle-orm/pg-core");
+
+// src/schema/index.ts
+var import_zod = require("zod");
+var castAsEnum = import_zod.z.enum(["bigint", "boolean", "date", "number", "string", "json"]).default("string");
+var tokenFilterSchema = import_zod.z.object({
+  kind: import_zod.z.literal("downcase")
+});
+var tokenizerSchema = import_zod.z.union([
+  import_zod.z.object({
+    kind: import_zod.z.literal("standard")
+  }),
+  import_zod.z.object({
+    kind: import_zod.z.literal("ngram"),
+    token_length: import_zod.z.number()
+  })
+]).default({ kind: "ngram", token_length: 3 }).optional();
+var oreIndexOptsSchema = import_zod.z.object({});
+var uniqueIndexOptsSchema = import_zod.z.object({
+  token_filters: import_zod.z.array(tokenFilterSchema).default([]).optional()
+});
+var matchIndexOptsSchema = import_zod.z.object({
+  tokenizer: tokenizerSchema,
+  token_filters: import_zod.z.array(tokenFilterSchema).default([]).optional(),
+  k: import_zod.z.number().default(6).optional(),
+  m: import_zod.z.number().default(2048).optional(),
+  include_original: import_zod.z.boolean().default(false).optional()
+});
+var steVecIndexOptsSchema = import_zod.z.object({
+  prefix: import_zod.z.string()
+});
+var indexesSchema = import_zod.z.object({
+  ore: oreIndexOptsSchema.optional(),
+  unique: uniqueIndexOptsSchema.optional(),
+  match: matchIndexOptsSchema.optional(),
+  ste_vec: steVecIndexOptsSchema.optional()
+}).default({});
+var columnSchema = import_zod.z.object({
+  cast_as: castAsEnum,
+  indexes: indexesSchema
+}).default({});
+var tableSchema = import_zod.z.record(columnSchema).default({});
+var tablesSchema = import_zod.z.record(tableSchema).default({});
+var encryptConfigSchema = import_zod.z.object({
+  v: import_zod.z.number(),
+  tables: tablesSchema
+});
+var ProtectValue = class {
+  valueName;
+  castAsValue;
+  constructor(valueName) {
+    this.valueName = valueName;
+    this.castAsValue = "string";
+  }
+  /**
+   * Set or override the plaintext data type for this value.
+   *
+   * By default all values are treated as `'string'`. Use this method to specify
+   * a different type so the encryption layer knows how to encode the plaintext
+   * before encrypting.
+   *
+   * @param castAs - The plaintext data type: `'string'`, `'number'`, `'boolean'`, `'date'`, `'bigint'`, or `'json'`.
+   * @returns This `ProtectValue` instance for method chaining.
+   *
+   * @example
+   * ```typescript
+   * import { encryptedValue } from "@cipherstash/stack/schema"
+   *
+   * const age = encryptedValue("age").dataType("number")
+   * ```
+   */
+  dataType(castAs) {
+    this.castAsValue = castAs;
+    return this;
+  }
+  build() {
+    return {
+      cast_as: this.castAsValue,
+      indexes: {}
+    };
+  }
+  getName() {
+    return this.valueName;
+  }
+};
+var ProtectColumn = class {
+  columnName;
+  castAsValue;
+  indexesValue = {};
+  constructor(columnName) {
+    this.columnName = columnName;
+    this.castAsValue = "string";
+  }
+  /**
+   * Set or override the plaintext data type for this column.
+   *
+   * By default all columns are treated as `'string'`. Use this method to specify
+   * a different type so the encryption layer knows how to encode the plaintext
+   * before encrypting.
+   *
+   * @param castAs - The plaintext data type: `'string'`, `'number'`, `'boolean'`, `'date'`, `'bigint'`, or `'json'`.
+   * @returns This `ProtectColumn` instance for method chaining.
+   *
+   * @example
+   * ```typescript
+   * import { encryptedColumn } from "@cipherstash/stack/schema"
+   *
+   * const dateOfBirth = encryptedColumn("date_of_birth").dataType("date")
+   * ```
+   */
+  dataType(castAs) {
+    this.castAsValue = castAs;
+    return this;
+  }
+  /**
+   * Enable Order-Revealing Encryption (ORE) indexing on this column.
+   *
+   * ORE allows sorting, comparison, and range queries on encrypted data.
+   * Use with `encryptQuery` and `queryType: 'orderAndRange'`.
+   *
+   * @returns This `ProtectColumn` instance for method chaining.
+   *
+   * @example
+   * ```typescript
+   * import { encryptedTable, encryptedColumn } from "@cipherstash/stack/schema"
+   *
+   * const users = encryptedTable("users", {
+   *   email: encryptedColumn("email").orderAndRange(),
+   * })
+   * ```
+   */
+  orderAndRange() {
+    this.indexesValue.ore = {};
+    return this;
+  }
+  /**
+   * Enable an exact-match (unique) index on this column.
+   *
+   * Allows equality queries on encrypted data. Use with `encryptQuery`
+   * and `queryType: 'equality'`.
+   *
+   * @param tokenFilters - Optional array of token filters (e.g. `[{ kind: 'downcase' }]`).
+   *   When omitted, no token filters are applied.
+   * @returns This `ProtectColumn` instance for method chaining.
+   *
+   * @example
+   * ```typescript
+   * import { encryptedTable, encryptedColumn } from "@cipherstash/stack/schema"
+   *
+   * const users = encryptedTable("users", {
+   *   email: encryptedColumn("email").equality(),
+   * })
+   * ```
+   */
+  equality(tokenFilters) {
+    this.indexesValue.unique = {
+      token_filters: tokenFilters ?? []
+    };
+    return this;
+  }
+  /**
+   * Enable a full-text / fuzzy search (match) index on this column.
+   *
+   * Uses n-gram tokenization by default for substring and fuzzy matching.
+   * Use with `encryptQuery` and `queryType: 'freeTextSearch'`.
+   *
+   * @param opts - Optional match index configuration. Defaults to 3-character ngram
+   *   tokenization with a downcase filter, `k=6`, `m=2048`, and `include_original=true`.
+   * @returns This `ProtectColumn` instance for method chaining.
+   *
+   * @example
+   * ```typescript
+   * import { encryptedTable, encryptedColumn } from "@cipherstash/stack/schema"
+   *
+   * const users = encryptedTable("users", {
+   *   email: encryptedColumn("email").freeTextSearch(),
+   * })
+   *
+   * // With custom options
+   * const posts = encryptedTable("posts", {
+   *   body: encryptedColumn("body").freeTextSearch({
+   *     tokenizer: { kind: "ngram", token_length: 4 },
+   *     k: 8,
+   *     m: 4096,
+   *   }),
+   * })
+   * ```
+   */
+  freeTextSearch(opts) {
+    this.indexesValue.match = {
+      tokenizer: opts?.tokenizer ?? { kind: "ngram", token_length: 3 },
+      token_filters: opts?.token_filters ?? [
+        {
+          kind: "downcase"
+        }
+      ],
+      k: opts?.k ?? 6,
+      m: opts?.m ?? 2048,
+      include_original: opts?.include_original ?? true
+    };
+    return this;
+  }
+  /**
+   * Configure this column for searchable encrypted JSON (STE-Vec).
+   *
+   * Enables encrypted JSONPath selector queries (e.g. `'$.user.email'`) and
+   * containment queries (e.g. `{ role: 'admin' }`). Automatically sets the
+   * data type to `'json'`.
+   *
+   * When used with `encryptQuery`, the query operation is auto-inferred from
+   * the plaintext type: strings become selector queries, objects/arrays become
+   * containment queries.
+   *
+   * @returns This `ProtectColumn` instance for method chaining.
+   *
+   * @example
+   * ```typescript
+   * import { encryptedTable, encryptedColumn } from "@cipherstash/stack/schema"
+   *
+   * const documents = encryptedTable("documents", {
+   *   metadata: encryptedColumn("metadata").searchableJson(),
+   * })
+   * ```
+   */
+  searchableJson() {
+    this.castAsValue = "json";
+    this.indexesValue.ste_vec = { prefix: "enabled" };
+    return this;
+  }
+  build() {
+    return {
+      cast_as: this.castAsValue,
+      indexes: this.indexesValue
+    };
+  }
+  getName() {
+    return this.columnName;
+  }
+};
+var ProtectTable = class {
+  constructor(tableName, columnBuilders) {
+    this.tableName = tableName;
+    this.columnBuilders = columnBuilders;
+  }
+  /**
+   * Compile this table schema into a `TableDefinition` used internally by the encryption client.
+   *
+   * Iterates over all column builders, calls `.build()` on each, and assembles
+   * the final `{ tableName, columns }` structure. For `searchableJson()` columns,
+   * the STE-Vec prefix is automatically set to `"<tableName>/<columnName>"`.
+   *
+   * @returns A `TableDefinition` containing the table name and built column configs.
+   *
+   * @example
+   * ```typescript
+   * const users = encryptedTable("users", {
+   *   email: encryptedColumn("email").equality(),
+   * })
+   *
+   * const definition = users.build()
+   * // { tableName: "users", columns: { email: { cast_as: "string", indexes: { unique: ... } } } }
+   * ```
+   */
+  build() {
+    const builtColumns = {};
+    const processColumn = (builder, colName) => {
+      if (builder instanceof ProtectColumn) {
+        const builtColumn = builder.build();
+        if (builtColumn.cast_as === "json" && builtColumn.indexes.ste_vec?.prefix === "enabled") {
+          builtColumns[colName] = {
+            ...builtColumn,
+            indexes: {
+              ...builtColumn.indexes,
+              ste_vec: {
+                prefix: `${this.tableName}/${colName}`
+              }
+            }
+          };
+        } else {
+          builtColumns[colName] = builtColumn;
+        }
+      } else {
+        for (const [key, value] of Object.entries(builder)) {
+          if (value instanceof ProtectValue) {
+            builtColumns[value.getName()] = value.build();
+          } else {
+            processColumn(value, key);
+          }
+        }
+      }
+    };
+    for (const [colName, builder] of Object.entries(this.columnBuilders)) {
+      processColumn(builder, colName);
+    }
+    return {
+      tableName: this.tableName,
+      columns: builtColumns
+    };
+  }
+};
+function encryptedTable(tableName, columns) {
+  const tableBuilder = new ProtectTable(tableName, columns);
+  for (const [colName, colBuilder] of Object.entries(columns)) {
+    ;
+    tableBuilder[colName] = colBuilder;
+  }
+  return tableBuilder;
+}
+function encryptedColumn(columnName) {
+  return new ProtectColumn(columnName);
+}
+
+// src/drizzle/schema-extraction.ts
+function extractEncryptionSchema(table) {
+  const tableName = table[Symbol.for("drizzle:Name")];
+  if (!tableName) {
+    throw new Error(
+      "Unable to extract table name from Drizzle table. Ensure you are using a table created with pgTable()."
+    );
+  }
+  const columns = {};
+  for (const [columnName, column] of Object.entries(table)) {
+    if (typeof column !== "object" || column === null) {
+      continue;
+    }
+    const config = getEncryptedColumnConfig(columnName, column);
+    if (config) {
+      const actualColumnName = column.name || config.name;
+      const csCol = encryptedColumn(actualColumnName);
+      if (config.dataType && config.dataType !== "string") {
+        csCol.dataType(config.dataType);
+      }
+      if (config.orderAndRange) {
+        csCol.orderAndRange();
+      }
+      if (config.equality) {
+        if (Array.isArray(config.equality)) {
+          csCol.equality(config.equality);
+        } else {
+          csCol.equality();
+        }
+      }
+      if (config.freeTextSearch) {
+        if (typeof config.freeTextSearch === "object") {
+          csCol.freeTextSearch(config.freeTextSearch);
+        } else {
+          csCol.freeTextSearch();
+        }
+      }
+      if (config.searchableJson) {
+        if (config.dataType !== "json") {
+          throw new Error(
+            `Column "${columnName}" has searchableJson enabled but dataType is "${config.dataType ?? "string"}". searchableJson requires dataType: 'json'.`
+          );
+        }
+        csCol.searchableJson();
+      }
+      columns[actualColumnName] = csCol;
+    }
+  }
+  if (Object.keys(columns).length === 0) {
+    throw new Error(
+      `No encrypted columns found in table "${tableName}". Use encryptedType() to define encrypted columns.`
+    );
+  }
+  return encryptedTable(tableName, columns);
+}
+
+// src/types.ts
+var queryTypes = {
+  orderAndRange: "orderAndRange",
+  freeTextSearch: "freeTextSearch",
+  equality: "equality",
+  steVecSelector: "steVecSelector",
+  steVecTerm: "steVecTerm",
+  searchableJson: "searchableJson"
+};
+
+// src/drizzle/operators.ts
+var import_drizzle_orm = require("drizzle-orm");
+var import_drizzle_orm2 = require("drizzle-orm");
+function isSQLWrapper(value) {
+  return typeof value === "object" && value !== null && "sql" in value && typeof value.sql !== "undefined";
+}
+function isPgTable(value) {
+  return typeof value === "object" && value !== null && Symbol.for("drizzle:Name") in value;
+}
+var EncryptionOperatorError = class extends Error {
+  constructor(message, context) {
+    super(message);
+    this.context = context;
+    this.name = "EncryptionOperatorError";
+  }
+};
+var EncryptionConfigError = class extends EncryptionOperatorError {
+  constructor(message, context) {
+    super(message, context);
+    this.name = "EncryptionConfigError";
+  }
+};
+function getDrizzleTableName(drizzleTable) {
+  if (!isPgTable(drizzleTable)) {
+    return void 0;
+  }
+  const tableWithSymbol = drizzleTable;
+  return tableWithSymbol[Symbol.for("drizzle:Name")];
+}
+function getDrizzleTableFromColumn(drizzleColumn) {
+  const column = drizzleColumn;
+  return column.table;
+}
+function getEncryptedTableFromColumn(drizzleColumn, tableCache) {
+  const drizzleTable = getDrizzleTableFromColumn(drizzleColumn);
+  if (!drizzleTable) {
+    return void 0;
+  }
+  const tableName = getDrizzleTableName(drizzleTable);
+  if (!tableName) {
+    return void 0;
+  }
+  let encryptedTable2 = tableCache.get(tableName);
+  if (encryptedTable2) {
+    return encryptedTable2;
+  }
+  try {
+    encryptedTable2 = extractEncryptionSchema(drizzleTable);
+    tableCache.set(tableName, encryptedTable2);
+    return encryptedTable2;
+  } catch {
+    return void 0;
+  }
+}
+function getEncryptedColumn(drizzleColumn, encryptedTable2) {
+  const column = drizzleColumn;
+  const columnName = column.name;
+  if (!columnName) {
+    return void 0;
+  }
+  const tableRecord = encryptedTable2;
+  return tableRecord[columnName];
+}
+function getColumnInfo(drizzleColumn, encryptedTable2, tableCache) {
+  const column = drizzleColumn;
+  const columnName = column.name || "unknown";
+  let resolvedTable = encryptedTable2;
+  if (!resolvedTable) {
+    resolvedTable = getEncryptedTableFromColumn(drizzleColumn, tableCache);
+  }
+  const drizzleTable = getDrizzleTableFromColumn(drizzleColumn);
+  const tableName = getDrizzleTableName(drizzleTable);
+  if (!resolvedTable) {
+    const config2 = getEncryptedColumnConfig(columnName, drizzleColumn);
+    return {
+      encryptedColumn: void 0,
+      config: config2,
+      encryptedTable: void 0,
+      columnName,
+      tableName
+    };
+  }
+  const encryptedColumn2 = getEncryptedColumn(drizzleColumn, resolvedTable);
+  const config = getEncryptedColumnConfig(columnName, drizzleColumn);
+  return {
+    encryptedColumn: encryptedColumn2,
+    config,
+    encryptedTable: resolvedTable,
+    columnName,
+    tableName
+  };
+}
+function toPlaintext(value) {
+  if (typeof value === "boolean") {
+    return value ? 1 : 0;
+  }
+  if (typeof value === "string" || typeof value === "number") {
+    return value;
+  }
+  if (value instanceof Date) {
+    return value.toISOString();
+  }
+  return String(value);
+}
+async function encryptValues(encryptionClient, values, encryptedTable2, tableCache) {
+  if (values.length === 0) {
+    return [];
+  }
+  const valuesToEncrypt = [];
+  const results = new Array(values.length);
+  for (let i = 0; i < values.length; i++) {
+    const { value, column, queryType } = values[i];
+    const columnInfo = getColumnInfo(column, encryptedTable2, tableCache);
+    if (!columnInfo.encryptedColumn || !columnInfo.config || !columnInfo.encryptedTable) {
+      results[i] = value;
+      continue;
+    }
+    const plaintextValue = toPlaintext(value);
+    valuesToEncrypt.push({
+      value: plaintextValue,
+      column,
+      columnInfo,
+      queryType,
+      originalIndex: i
+    });
+  }
+  if (valuesToEncrypt.length === 0) {
+    return results;
+  }
+  const columnGroups = /* @__PURE__ */ new Map();
+  let valueIndex = 0;
+  for (const {
+    value,
+    columnInfo,
+    queryType,
+    originalIndex
+  } of valuesToEncrypt) {
+    if (!columnInfo.config || !columnInfo.encryptedColumn || !columnInfo.encryptedTable) {
+      continue;
+    }
+    const columnName = columnInfo.config.name;
+    const groupKey = `${columnInfo.tableName ?? "unknown"}/${columnName}`;
+    let group = columnGroups.get(groupKey);
+    if (!group) {
+      group = {
+        column: columnInfo.encryptedColumn,
+        table: columnInfo.encryptedTable,
+        columnName,
+        values: [],
+        resultIndices: []
+      };
+      columnGroups.set(groupKey, group);
+    }
+    group.values.push({ value, index: valueIndex++, queryType });
+    group.resultIndices.push(originalIndex);
+  }
+  for (const [, group] of columnGroups) {
+    const { columnName } = group;
+    try {
+      const terms = group.values.map((v) => ({
+        value: v.value,
+        column: group.column,
+        table: group.table,
+        queryType: v.queryType
+      }));
+      const encryptedTerms = await encryptionClient.encryptQuery(terms);
+      if (encryptedTerms.failure) {
+        throw new EncryptionOperatorError(
+          `Failed to encrypt query terms for column "${columnName}": ${encryptedTerms.failure.message}`,
+          { columnName }
+        );
+      }
+      for (let i = 0; i < group.values.length; i++) {
+        const resultIndex = group.resultIndices[i] ?? -1;
+        if (resultIndex >= 0 && resultIndex < results.length) {
+          results[resultIndex] = encryptedTerms.data[i];
+        }
+      }
+    } catch (error) {
+      if (error instanceof EncryptionOperatorError) {
+        throw error;
+      }
+      const errorMessage = error instanceof Error ? error.message : String(error);
+      throw new EncryptionOperatorError(
+        `Unexpected error encrypting values for column "${columnName}": ${errorMessage}`,
+        { columnName }
+      );
+    }
+  }
+  return results;
+}
+async function encryptValue(encryptionClient, value, drizzleColumn, encryptedTable2, tableCache, queryType) {
+  const results = await encryptValues(
+    encryptionClient,
+    [{ value, column: drizzleColumn, queryType }],
+    encryptedTable2,
+    tableCache
+  );
+  return results[0];
+}
+function isLazyOperator(value) {
+  return typeof value === "object" && value !== null && "__isLazyOperator" in value && value.__isLazyOperator === true;
+}
+function createLazyOperator(operator, left, right, execute, needsEncryption, columnInfo, encryptionClient, defaultTable, tableCache, min, max, queryType) {
+  let resolvedSQL;
+  let encryptionPromise;
+  const lazyOp = {
+    __isLazyOperator: true,
+    operator,
+    queryType,
+    left,
+    right,
+    min,
+    max,
+    needsEncryption,
+    columnInfo,
+    execute
+  };
+  const promise = new Promise((resolve, reject) => {
+    queueMicrotask(async () => {
+      if (resolvedSQL !== void 0) {
+        resolve(resolvedSQL);
+        return;
+      }
+      try {
+        if (!encryptionPromise) {
+          encryptionPromise = executeLazyOperatorDirect(
+            lazyOp,
+            encryptionClient,
+            defaultTable,
+            tableCache
+          );
+        }
+        const sql2 = await encryptionPromise;
+        resolvedSQL = sql2;
+        resolve(sql2);
+      } catch (error) {
+        reject(error);
+      }
+    });
+  });
+  return Object.assign(promise, lazyOp);
+}
+async function executeLazyOperator(lazyOp, encryptedValues) {
+  if (!lazyOp.needsEncryption) {
+    return lazyOp.execute(lazyOp.right);
+  }
+  if (lazyOp.min !== void 0 && lazyOp.max !== void 0) {
+    let encryptedMin;
+    let encryptedMax;
+    if (encryptedValues && encryptedValues.length >= 2) {
+      encryptedMin = encryptedValues[0]?.encrypted;
+      encryptedMax = encryptedValues[1]?.encrypted;
+    } else {
+      throw new EncryptionOperatorError(
+        "Between operator requires both min and max encrypted values",
+        {
+          columnName: lazyOp.columnInfo.columnName,
+          tableName: lazyOp.columnInfo.tableName,
+          operator: lazyOp.operator
+        }
+      );
+    }
+    if (encryptedMin === void 0 || encryptedMax === void 0) {
+      throw new EncryptionOperatorError(
+        "Between operator requires both min and max values to be encrypted",
+        {
+          columnName: lazyOp.columnInfo.columnName,
+          tableName: lazyOp.columnInfo.tableName,
+          operator: lazyOp.operator
+        }
+      );
+    }
+    return lazyOp.execute(void 0, encryptedMin, encryptedMax);
+  }
+  let encrypted;
+  if (encryptedValues && encryptedValues.length > 0) {
+    encrypted = encryptedValues[0]?.encrypted;
+  } else {
+    throw new EncryptionOperatorError(
+      "Operator requires encrypted value but none provided",
+      {
+        columnName: lazyOp.columnInfo.columnName,
+        tableName: lazyOp.columnInfo.tableName,
+        operator: lazyOp.operator
+      }
+    );
+  }
+  if (encrypted === void 0) {
+    throw new EncryptionOperatorError(
+      "Encryption failed or value was not encrypted",
+      {
+        columnName: lazyOp.columnInfo.columnName,
+        tableName: lazyOp.columnInfo.tableName,
+        operator: lazyOp.operator
+      }
+    );
+  }
+  return lazyOp.execute(encrypted);
+}
+async function executeLazyOperatorDirect(lazyOp, encryptionClient, defaultTable, tableCache) {
+  if (!lazyOp.needsEncryption) {
+    return lazyOp.execute(lazyOp.right);
+  }
+  if (lazyOp.min !== void 0 && lazyOp.max !== void 0) {
+    const [encryptedMin, encryptedMax] = await encryptValues(
+      encryptionClient,
+      [
+        { value: lazyOp.min, column: lazyOp.left, queryType: lazyOp.queryType },
+        { value: lazyOp.max, column: lazyOp.left, queryType: lazyOp.queryType }
+      ],
+      defaultTable,
+      tableCache
+    );
+    return lazyOp.execute(void 0, encryptedMin, encryptedMax);
+  }
+  const encrypted = await encryptValue(
+    encryptionClient,
+    lazyOp.right,
+    lazyOp.left,
+    defaultTable,
+    tableCache,
+    lazyOp.queryType
+  );
+  return lazyOp.execute(encrypted);
+}
+function createComparisonOperator(operator, left, right, columnInfo, encryptionClient, defaultTable, tableCache) {
+  const { config } = columnInfo;
+  const requiresOrderAndRange = ["gt", "gte", "lt", "lte"].includes(operator);
+  if (requiresOrderAndRange) {
+    if (!config?.orderAndRange) {
+      switch (operator) {
+        case "gt":
+          return (0, import_drizzle_orm.gt)(left, right);
+        case "gte":
+          return (0, import_drizzle_orm.gte)(left, right);
+        case "lt":
+          return (0, import_drizzle_orm.lt)(left, right);
+        case "lte":
+          return (0, import_drizzle_orm.lte)(left, right);
+      }
+    }
+    const executeFn = (encrypted) => {
+      if (encrypted === void 0) {
+        throw new EncryptionOperatorError(
+          `Encryption failed for ${operator} operator`,
+          {
+            columnName: columnInfo.columnName,
+            tableName: columnInfo.tableName,
+            operator
+          }
+        );
+      }
+      return import_drizzle_orm2.sql`eql_v2.${import_drizzle_orm2.sql.raw(operator)}(${left}, ${(0, import_drizzle_orm2.bindIfParam)(encrypted, left)})`;
+    };
+    return createLazyOperator(
+      operator,
+      left,
+      right,
+      executeFn,
+      true,
+      columnInfo,
+      encryptionClient,
+      defaultTable,
+      tableCache,
+      void 0,
+      // min
+      void 0,
+      // max
+      queryTypes.orderAndRange
+    );
+  }
+  const requiresEquality = ["eq", "ne"].includes(operator);
+  if (requiresEquality && config?.equality) {
+    const executeFn = (encrypted) => {
+      if (encrypted === void 0) {
+        throw new EncryptionOperatorError(
+          `Encryption failed for ${operator} operator`,
+          {
+            columnName: columnInfo.columnName,
+            tableName: columnInfo.tableName,
+            operator
+          }
+        );
+      }
+      return operator === "eq" ? (0, import_drizzle_orm.eq)(left, encrypted) : (0, import_drizzle_orm.ne)(left, encrypted);
+    };
+    return createLazyOperator(
+      operator,
+      left,
+      right,
+      executeFn,
+      true,
+      columnInfo,
+      encryptionClient,
+      defaultTable,
+      tableCache,
+      void 0,
+      // min
+      void 0,
+      // max
+      queryTypes.equality
+    );
+  }
+  return operator === "eq" ? (0, import_drizzle_orm.eq)(left, right) : (0, import_drizzle_orm.ne)(left, right);
+}
+function createRangeOperator(operator, left, min, max, columnInfo, encryptionClient, defaultTable, tableCache) {
+  const { config } = columnInfo;
+  if (!config?.orderAndRange) {
+    return operator === "between" ? (0, import_drizzle_orm.between)(left, min, max) : (0, import_drizzle_orm.notBetween)(left, min, max);
+  }
+  const executeFn = (_encrypted, encryptedMin, encryptedMax) => {
+    if (encryptedMin === void 0 || encryptedMax === void 0) {
+      throw new EncryptionOperatorError(
+        `${operator} operator requires both min and max values`,
+        {
+          columnName: columnInfo.columnName,
+          tableName: columnInfo.tableName,
+          operator
+        }
+      );
+    }
+    const rangeCondition = import_drizzle_orm2.sql`eql_v2.gte(${left}, ${(0, import_drizzle_orm2.bindIfParam)(encryptedMin, left)}) AND eql_v2.lte(${left}, ${(0, import_drizzle_orm2.bindIfParam)(encryptedMax, left)})`;
+    return operator === "between" ? rangeCondition : import_drizzle_orm2.sql`NOT (${rangeCondition})`;
+  };
+  return createLazyOperator(
+    operator,
+    left,
+    void 0,
+    executeFn,
+    true,
+    columnInfo,
+    encryptionClient,
+    defaultTable,
+    tableCache,
+    min,
+    max,
+    queryTypes.orderAndRange
+  );
+}
+function createTextSearchOperator(operator, left, right, columnInfo, encryptionClient, defaultTable, tableCache) {
+  const { config } = columnInfo;
+  if (!config?.freeTextSearch) {
+    const rightValue = right;
+    switch (operator) {
+      case "like":
+        return (0, import_drizzle_orm.like)(left, rightValue);
+      case "ilike":
+        return (0, import_drizzle_orm.ilike)(left, rightValue);
+      case "notIlike":
+        return (0, import_drizzle_orm.notIlike)(left, rightValue);
+    }
+  }
+  const executeFn = (encrypted) => {
+    if (encrypted === void 0) {
+      throw new EncryptionOperatorError(
+        `Encryption failed for ${operator} operator`,
+        {
+          columnName: columnInfo.columnName,
+          tableName: columnInfo.tableName,
+          operator
+        }
+      );
+    }
+    const sqlFn = import_drizzle_orm2.sql`eql_v2.${import_drizzle_orm2.sql.raw(operator === "notIlike" ? "ilike" : operator)}(${left}, ${(0, import_drizzle_orm2.bindIfParam)(encrypted, left)})`;
+    return operator === "notIlike" ? import_drizzle_orm2.sql`NOT (${sqlFn})` : sqlFn;
+  };
+  return createLazyOperator(
+    operator,
+    left,
+    right,
+    executeFn,
+    true,
+    columnInfo,
+    encryptionClient,
+    defaultTable,
+    tableCache,
+    void 0,
+    // min
+    void 0,
+    // max
+    queryTypes.freeTextSearch
+  );
+}
+function createJsonbOperator(operator, left, right, columnInfo, encryptionClient, defaultTable, tableCache) {
+  const { config } = columnInfo;
+  const encryptedSelector = (value) => import_drizzle_orm2.sql`${(0, import_drizzle_orm2.bindIfParam)(value, left)}::eql_v2_encrypted`;
+  if (!config?.searchableJson) {
+    throw new EncryptionOperatorError(
+      `The ${operator} operator requires searchableJson to be enabled on the column configuration.`,
+      {
+        columnName: columnInfo.columnName,
+        tableName: columnInfo.tableName,
+        operator
+      }
+    );
+  }
+  const executeFn = (encrypted) => {
+    if (encrypted === void 0) {
+      throw new EncryptionOperatorError(
+        `Encryption failed for ${operator} operator`,
+        {
+          columnName: columnInfo.columnName,
+          tableName: columnInfo.tableName,
+          operator
+        }
+      );
+    }
+    switch (operator) {
+      case "jsonbPathQueryFirst":
+        return import_drizzle_orm2.sql`eql_v2.jsonb_path_query_first(${left}, ${encryptedSelector(encrypted)})`;
+      case "jsonbGet":
+        return import_drizzle_orm2.sql`${left} -> ${encryptedSelector(encrypted)}`;
+      case "jsonbPathExists":
+        return import_drizzle_orm2.sql`eql_v2.jsonb_path_exists(${left}, ${encryptedSelector(encrypted)})`;
+    }
+  };
+  return createLazyOperator(
+    operator,
+    left,
+    right,
+    executeFn,
+    true,
+    columnInfo,
+    encryptionClient,
+    defaultTable,
+    tableCache,
+    void 0,
+    void 0,
+    queryTypes.steVecSelector
+  );
+}
+function createEncryptionOperators(encryptionClient) {
+  const tableCache = /* @__PURE__ */ new Map();
+  const defaultTable = void 0;
+  const encryptedEq = (left, right) => {
+    const columnInfo = getColumnInfo(left, defaultTable, tableCache);
+    return createComparisonOperator(
+      "eq",
+      left,
+      right,
+      columnInfo,
+      encryptionClient,
+      defaultTable,
+      tableCache
+    );
+  };
+  const encryptedNe = (left, right) => {
+    const columnInfo = getColumnInfo(left, defaultTable, tableCache);
+    return createComparisonOperator(
+      "ne",
+      left,
+      right,
+      columnInfo,
+      encryptionClient,
+      defaultTable,
+      tableCache
+    );
+  };
+  const encryptedGt = (left, right) => {
+    const columnInfo = getColumnInfo(left, defaultTable, tableCache);
+    return createComparisonOperator(
+      "gt",
+      left,
+      right,
+      columnInfo,
+      encryptionClient,
+      defaultTable,
+      tableCache
+    );
+  };
+  const encryptedGte = (left, right) => {
+    const columnInfo = getColumnInfo(left, defaultTable, tableCache);
+    return createComparisonOperator(
+      "gte",
+      left,
+      right,
+      columnInfo,
+      encryptionClient,
+      defaultTable,
+      tableCache
+    );
+  };
+  const encryptedLt = (left, right) => {
+    const columnInfo = getColumnInfo(left, defaultTable, tableCache);
+    return createComparisonOperator(
+      "lt",
+      left,
+      right,
+      columnInfo,
+      encryptionClient,
+      defaultTable,
+      tableCache
+    );
+  };
+  const encryptedLte = (left, right) => {
+    const columnInfo = getColumnInfo(left, defaultTable, tableCache);
+    return createComparisonOperator(
+      "lte",
+      left,
+      right,
+      columnInfo,
+      encryptionClient,
+      defaultTable,
+      tableCache
+    );
+  };
+  const encryptedBetween = (left, min, max) => {
+    const columnInfo = getColumnInfo(left, defaultTable, tableCache);
+    return createRangeOperator(
+      "between",
+      left,
+      min,
+      max,
+      columnInfo,
+      encryptionClient,
+      defaultTable,
+      tableCache
+    );
+  };
+  const encryptedNotBetween = (left, min, max) => {
+    const columnInfo = getColumnInfo(left, defaultTable, tableCache);
+    return createRangeOperator(
+      "notBetween",
+      left,
+      min,
+      max,
+      columnInfo,
+      encryptionClient,
+      defaultTable,
+      tableCache
+    );
+  };
+  const encryptedLike = (left, right) => {
+    const columnInfo = getColumnInfo(left, defaultTable, tableCache);
+    return createTextSearchOperator(
+      "like",
+      left,
+      right,
+      columnInfo,
+      encryptionClient,
+      defaultTable,
+      tableCache
+    );
+  };
+  const encryptedIlike = (left, right) => {
+    const columnInfo = getColumnInfo(left, defaultTable, tableCache);
+    return createTextSearchOperator(
+      "ilike",
+      left,
+      right,
+      columnInfo,
+      encryptionClient,
+      defaultTable,
+      tableCache
+    );
+  };
+  const encryptedNotIlike = (left, right) => {
+    const columnInfo = getColumnInfo(left, defaultTable, tableCache);
+    return createTextSearchOperator(
+      "notIlike",
+      left,
+      right,
+      columnInfo,
+      encryptionClient,
+      defaultTable,
+      tableCache
+    );
+  };
+  const encryptedJsonbPathQueryFirst = (left, right) => {
+    const columnInfo = getColumnInfo(left, defaultTable, tableCache);
+    return createJsonbOperator(
+      "jsonbPathQueryFirst",
+      left,
+      right,
+      columnInfo,
+      encryptionClient,
+      defaultTable,
+      tableCache
+    );
+  };
+  const encryptedJsonbGet = (left, right) => {
+    const columnInfo = getColumnInfo(left, defaultTable, tableCache);
+    return createJsonbOperator(
+      "jsonbGet",
+      left,
+      right,
+      columnInfo,
+      encryptionClient,
+      defaultTable,
+      tableCache
+    );
+  };
+  const encryptedJsonbPathExists = (left, right) => {
+    const columnInfo = getColumnInfo(left, defaultTable, tableCache);
+    return createJsonbOperator(
+      "jsonbPathExists",
+      left,
+      right,
+      columnInfo,
+      encryptionClient,
+      defaultTable,
+      tableCache
+    );
+  };
+  const encryptedInArray = async (left, right) => {
+    if (isSQLWrapper(right)) {
+      return (0, import_drizzle_orm.inArray)(left, right);
+    }
+    const columnInfo = getColumnInfo(left, defaultTable, tableCache);
+    if (!columnInfo.config?.equality || !Array.isArray(right)) {
+      return (0, import_drizzle_orm.inArray)(left, right);
+    }
+    const encryptedValues = await encryptValues(
+      encryptionClient,
+      right.map((value) => ({
+        value,
+        column: left,
+        queryType: queryTypes.equality
+      })),
+      defaultTable,
+      tableCache
+    );
+    const conditions = encryptedValues.filter((encrypted) => encrypted !== void 0).map((encrypted) => (0, import_drizzle_orm.eq)(left, encrypted));
+    if (conditions.length === 0) {
+      return import_drizzle_orm2.sql`false`;
+    }
+    const combined = (0, import_drizzle_orm.or)(...conditions);
+    return combined ?? import_drizzle_orm2.sql`false`;
+  };
+  const encryptedNotInArray = async (left, right) => {
+    if (isSQLWrapper(right)) {
+      return (0, import_drizzle_orm.notInArray)(
+        left,
+        right
+      );
+    }
+    const columnInfo = getColumnInfo(left, defaultTable, tableCache);
+    if (!columnInfo.config?.equality || !Array.isArray(right)) {
+      return (0, import_drizzle_orm.notInArray)(left, right);
+    }
+    const encryptedValues = await encryptValues(
+      encryptionClient,
+      right.map((value) => ({
+        value,
+        column: left,
+        queryType: queryTypes.equality
+      })),
+      defaultTable,
+      tableCache
+    );
+    const conditions = encryptedValues.filter((encrypted) => encrypted !== void 0).map((encrypted) => (0, import_drizzle_orm.ne)(left, encrypted));
+    if (conditions.length === 0) {
+      return import_drizzle_orm2.sql`true`;
+    }
+    const combined = (0, import_drizzle_orm.and)(...conditions);
+    return combined ?? import_drizzle_orm2.sql`true`;
+  };
+  const encryptedAsc = (column) => {
+    const columnInfo = getColumnInfo(column, defaultTable, tableCache);
+    if (columnInfo.config?.orderAndRange) {
+      return (0, import_drizzle_orm.asc)(import_drizzle_orm2.sql`eql_v2.order_by(${column})`);
+    }
+    return (0, import_drizzle_orm.asc)(column);
+  };
+  const encryptedDesc = (column) => {
+    const columnInfo = getColumnInfo(column, defaultTable, tableCache);
+    if (columnInfo.config?.orderAndRange) {
+      return (0, import_drizzle_orm.desc)(import_drizzle_orm2.sql`eql_v2.order_by(${column})`);
+    }
+    return (0, import_drizzle_orm.desc)(column);
+  };
+  const encryptedAnd = async (...conditions) => {
+    const lazyOperators = [];
+    const regularConditions = [];
+    const regularPromises = [];
+    for (const condition of conditions) {
+      if (condition === void 0) {
+        continue;
+      }
+      if (isLazyOperator(condition)) {
+        lazyOperators.push(condition);
+      } else if (condition instanceof Promise) {
+        if (isLazyOperator(condition)) {
+          lazyOperators.push(condition);
+        } else {
+          regularPromises.push(condition);
+        }
+      } else {
+        regularConditions.push(condition);
+      }
+    }
+    if (lazyOperators.length === 0) {
+      const allConditions2 = [
+        ...regularConditions,
+        ...await Promise.all(regularPromises)
+      ];
+      return (0, import_drizzle_orm.and)(...allConditions2) ?? import_drizzle_orm2.sql`true`;
+    }
+    const valuesToEncrypt = [];
+    for (let i = 0; i < lazyOperators.length; i++) {
+      const lazyOp = lazyOperators[i];
+      if (!lazyOp.needsEncryption) {
+        continue;
+      }
+      if (lazyOp.min !== void 0 && lazyOp.max !== void 0) {
+        valuesToEncrypt.push({
+          value: lazyOp.min,
+          column: lazyOp.left,
+          columnInfo: lazyOp.columnInfo,
+          queryType: lazyOp.queryType,
+          lazyOpIndex: i,
+          isMin: true
+        });
+        valuesToEncrypt.push({
+          value: lazyOp.max,
+          column: lazyOp.left,
+          columnInfo: lazyOp.columnInfo,
+          queryType: lazyOp.queryType,
+          lazyOpIndex: i,
+          isMax: true
+        });
+      } else if (lazyOp.right !== void 0) {
+        valuesToEncrypt.push({
+          value: lazyOp.right,
+          column: lazyOp.left,
+          columnInfo: lazyOp.columnInfo,
+          queryType: lazyOp.queryType,
+          lazyOpIndex: i
+        });
+      }
+    }
+    const encryptedResults = await encryptValues(
+      encryptionClient,
+      valuesToEncrypt.map((v) => ({
+        value: v.value,
+        column: v.column,
+        queryType: v.queryType
+      })),
+      defaultTable,
+      tableCache
+    );
+    const encryptedByLazyOp = /* @__PURE__ */ new Map();
+    for (let i = 0; i < valuesToEncrypt.length; i++) {
+      const { lazyOpIndex, isMin, isMax } = valuesToEncrypt[i];
+      const encrypted = encryptedResults[i];
+      let group = encryptedByLazyOp.get(lazyOpIndex);
+      if (!group) {
+        group = {};
+        encryptedByLazyOp.set(lazyOpIndex, group);
+      }
+      if (isMin) {
+        group.min = encrypted;
+      } else if (isMax) {
+        group.max = encrypted;
+      } else {
+        group.value = encrypted;
+      }
+    }
+    const sqlConditions = [];
+    for (let i = 0; i < lazyOperators.length; i++) {
+      const lazyOp = lazyOperators[i];
+      const encrypted = encryptedByLazyOp.get(i);
+      let sqlCondition;
+      if (lazyOp.needsEncryption && encrypted) {
+        const encryptedValues = [];
+        if (encrypted.value !== void 0) {
+          encryptedValues.push({
+            value: lazyOp.right,
+            encrypted: encrypted.value
+          });
+        }
+        if (encrypted.min !== void 0) {
+          encryptedValues.push({ value: lazyOp.min, encrypted: encrypted.min });
+        }
+        if (encrypted.max !== void 0) {
+          encryptedValues.push({ value: lazyOp.max, encrypted: encrypted.max });
+        }
+        sqlCondition = await executeLazyOperator(lazyOp, encryptedValues);
+      } else {
+        sqlCondition = lazyOp.execute(lazyOp.right);
+      }
+      sqlConditions.push(sqlCondition);
+    }
+    const regularPromisesResults = await Promise.all(regularPromises);
+    const allConditions = [
+      ...regularConditions,
+      ...sqlConditions,
+      ...regularPromisesResults
+    ];
+    return (0, import_drizzle_orm.and)(...allConditions) ?? import_drizzle_orm2.sql`true`;
+  };
+  const encryptedOr = async (...conditions) => {
+    const lazyOperators = [];
+    const regularConditions = [];
+    const regularPromises = [];
+    for (const condition of conditions) {
+      if (condition === void 0) {
+        continue;
+      }
+      if (isLazyOperator(condition)) {
+        lazyOperators.push(condition);
+      } else if (condition instanceof Promise) {
+        if (isLazyOperator(condition)) {
+          lazyOperators.push(condition);
+        } else {
+          regularPromises.push(condition);
+        }
+      } else {
+        regularConditions.push(condition);
+      }
+    }
+    if (lazyOperators.length === 0) {
+      const allConditions2 = [
+        ...regularConditions,
+        ...await Promise.all(regularPromises)
+      ];
+      return (0, import_drizzle_orm.or)(...allConditions2) ?? import_drizzle_orm2.sql`false`;
+    }
+    const valuesToEncrypt = [];
+    for (let i = 0; i < lazyOperators.length; i++) {
+      const lazyOp = lazyOperators[i];
+      if (!lazyOp.needsEncryption) {
+        continue;
+      }
+      if (lazyOp.min !== void 0 && lazyOp.max !== void 0) {
+        valuesToEncrypt.push({
+          value: lazyOp.min,
+          column: lazyOp.left,
+          columnInfo: lazyOp.columnInfo,
+          queryType: lazyOp.queryType,
+          lazyOpIndex: i,
+          isMin: true
+        });
+        valuesToEncrypt.push({
+          value: lazyOp.max,
+          column: lazyOp.left,
+          columnInfo: lazyOp.columnInfo,
+          queryType: lazyOp.queryType,
+          lazyOpIndex: i,
+          isMax: true
+        });
+      } else if (lazyOp.right !== void 0) {
+        valuesToEncrypt.push({
+          value: lazyOp.right,
+          column: lazyOp.left,
+          columnInfo: lazyOp.columnInfo,
+          queryType: lazyOp.queryType,
+          lazyOpIndex: i
+        });
+      }
+    }
+    const encryptedResults = await encryptValues(
+      encryptionClient,
+      valuesToEncrypt.map((v) => ({
+        value: v.value,
+        column: v.column,
+        queryType: v.queryType
+      })),
+      defaultTable,
+      tableCache
+    );
+    const encryptedByLazyOp = /* @__PURE__ */ new Map();
+    for (let i = 0; i < valuesToEncrypt.length; i++) {
+      const { lazyOpIndex, isMin, isMax } = valuesToEncrypt[i];
+      const encrypted = encryptedResults[i];
+      let group = encryptedByLazyOp.get(lazyOpIndex);
+      if (!group) {
+        group = {};
+        encryptedByLazyOp.set(lazyOpIndex, group);
+      }
+      if (isMin) {
+        group.min = encrypted;
+      } else if (isMax) {
+        group.max = encrypted;
+      } else {
+        group.value = encrypted;
+      }
+    }
+    const sqlConditions = [];
+    for (let i = 0; i < lazyOperators.length; i++) {
+      const lazyOp = lazyOperators[i];
+      const encrypted = encryptedByLazyOp.get(i);
+      let sqlCondition;
+      if (lazyOp.needsEncryption && encrypted) {
+        const encryptedValues = [];
+        if (encrypted.value !== void 0) {
+          encryptedValues.push({
+            value: lazyOp.right,
+            encrypted: encrypted.value
+          });
+        }
+        if (encrypted.min !== void 0) {
+          encryptedValues.push({ value: lazyOp.min, encrypted: encrypted.min });
+        }
+        if (encrypted.max !== void 0) {
+          encryptedValues.push({ value: lazyOp.max, encrypted: encrypted.max });
+        }
+        sqlCondition = await executeLazyOperator(lazyOp, encryptedValues);
+      } else {
+        sqlCondition = lazyOp.execute(lazyOp.right);
+      }
+      sqlConditions.push(sqlCondition);
+    }
+    const regularPromisesResults = await Promise.all(regularPromises);
+    const allConditions = [
+      ...regularConditions,
+      ...sqlConditions,
+      ...regularPromisesResults
+    ];
+    return (0, import_drizzle_orm.or)(...allConditions) ?? import_drizzle_orm2.sql`false`;
+  };
+  return {
+    // Comparison operators
+    eq: encryptedEq,
+    ne: encryptedNe,
+    gt: encryptedGt,
+    gte: encryptedGte,
+    lt: encryptedLt,
+    lte: encryptedLte,
+    // Range operators
+    between: encryptedBetween,
+    notBetween: encryptedNotBetween,
+    // Text search operators
+    like: encryptedLike,
+    ilike: encryptedIlike,
+    notIlike: encryptedNotIlike,
+    // Searchable JSON operators
+    jsonbPathQueryFirst: encryptedJsonbPathQueryFirst,
+    jsonbGet: encryptedJsonbGet,
+    jsonbPathExists: encryptedJsonbPathExists,
+    // Array operators
+    inArray: encryptedInArray,
+    notInArray: encryptedNotInArray,
+    // Sorting operators
+    asc: encryptedAsc,
+    desc: encryptedDesc,
+    // AND operator - batches encryption operations
+    and: encryptedAnd,
+    // OR operator - batches encryption operations
+    or: encryptedOr,
+    // Operators that don't need encryption (pass through to Drizzle)
+    exists: import_drizzle_orm.exists,
+    notExists: import_drizzle_orm.notExists,
+    isNull: import_drizzle_orm.isNull,
+    isNotNull: import_drizzle_orm.isNotNull,
+    not: import_drizzle_orm.not,
+    // Array operators that work with arrays directly (not encrypted values)
+    arrayContains: import_drizzle_orm.arrayContains,
+    arrayContained: import_drizzle_orm.arrayContained,
+    arrayOverlaps: import_drizzle_orm.arrayOverlaps
+  };
+}
+
+// src/drizzle/index.ts
+var columnConfigMap = /* @__PURE__ */ new Map();
+var encryptedType = (name, config) => {
+  const customColumnType = (0, import_pg_core.customType)({
+    dataType() {
+      return "eql_v2_encrypted";
+    },
+    toDriver(value) {
+      const jsonStr = JSON.stringify(value);
+      const escaped = jsonStr.replace(/"/g, '""');
+      return `("${escaped}")`;
+    },
+    fromDriver(value) {
+      const parseComposite = (str) => {
+        if (!str || str === "") return null;
+        const trimmed = str.trim();
+        if (trimmed.startsWith("(") && trimmed.endsWith(")")) {
+          let inner = trimmed.slice(1, -1);
+          inner = inner.replace(/""/g, '"');
+          if (inner.startsWith('"') && inner.endsWith('"')) {
+            const stripped = inner.slice(1, -1);
+            return JSON.parse(stripped);
+          }
+          if (inner.startsWith("{") || inner.startsWith("[")) {
+            return JSON.parse(inner);
+          }
+          return inner;
+        }
+        return JSON.parse(str);
+      };
+      return parseComposite(value);
+    }
+  });
+  const column = customColumnType(name);
+  const fullConfig = {
+    name,
+    ...config
+  };
+  columnConfigMap.set(name, fullConfig);
+  column._encryptionConfig = fullConfig;
+  return column;
+};
+function getEncryptedColumnConfig(columnName, column) {
+  if (column && typeof column === "object") {
+    const columnAny = column;
+    const isEncrypted = columnAny.sqlName === "eql_v2_encrypted" || columnAny.dataType === "eql_v2_encrypted" || columnAny.dataType && typeof columnAny.dataType === "function" && columnAny.dataType() === "eql_v2_encrypted";
+    if (isEncrypted) {
+      if (columnAny._encryptionConfig) {
+        return columnAny._encryptionConfig;
+      }
+      const lookupName = columnAny.name || columnName;
+      return columnConfigMap.get(lookupName);
+    }
+  }
+  return void 0;
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  EncryptionConfigError,
+  EncryptionOperatorError,
+  createEncryptionOperators,
+  encryptedType,
+  extractEncryptionSchema,
+  getEncryptedColumnConfig
+});
+//# sourceMappingURL=index.cjs.map