@cipherstash/stack 0.1.0

package/dist/drizzle/index.js

@@ -0,0 +1,1212 @@
+import {
+  queryTypes
+} from "../chunk-SJ7JO4ME.js";
+import {
+  encryptedColumn,
+  encryptedTable
+} from "../chunk-7XRPN2KX.js";
+
+// src/drizzle/index.ts
+import { customType } from "drizzle-orm/pg-core";
+
+// src/drizzle/schema-extraction.ts
+function extractEncryptionSchema(table) {
+  const tableName = table[Symbol.for("drizzle:Name")];
+  if (!tableName) {
+    throw new Error(
+      "Unable to extract table name from Drizzle table. Ensure you are using a table created with pgTable()."
+    );
+  }
+  const columns = {};
+  for (const [columnName, column] of Object.entries(table)) {
+    if (typeof column !== "object" || column === null) {
+      continue;
+    }
+    const config = getEncryptedColumnConfig(columnName, column);
+    if (config) {
+      const actualColumnName = column.name || config.name;
+      const csCol = encryptedColumn(actualColumnName);
+      if (config.dataType && config.dataType !== "string") {
+        csCol.dataType(config.dataType);
+      }
+      if (config.orderAndRange) {
+        csCol.orderAndRange();
+      }
+      if (config.equality) {
+        if (Array.isArray(config.equality)) {
+          csCol.equality(config.equality);
+        } else {
+          csCol.equality();
+        }
+      }
+      if (config.freeTextSearch) {
+        if (typeof config.freeTextSearch === "object") {
+          csCol.freeTextSearch(config.freeTextSearch);
+        } else {
+          csCol.freeTextSearch();
+        }
+      }
+      if (config.searchableJson) {
+        if (config.dataType !== "json") {
+          throw new Error(
+            `Column "${columnName}" has searchableJson enabled but dataType is "${config.dataType ?? "string"}". searchableJson requires dataType: 'json'.`
+          );
+        }
+        csCol.searchableJson();
+      }
+      columns[actualColumnName] = csCol;
+    }
+  }
+  if (Object.keys(columns).length === 0) {
+    throw new Error(
+      `No encrypted columns found in table "${tableName}". Use encryptedType() to define encrypted columns.`
+    );
+  }
+  return encryptedTable(tableName, columns);
+}
+
+// src/drizzle/operators.ts
+import {
+  and,
+  arrayContained,
+  arrayContains,
+  arrayOverlaps,
+  asc,
+  between,
+  desc,
+  eq,
+  exists,
+  gt,
+  gte,
+  ilike,
+  inArray,
+  isNotNull,
+  isNull,
+  like,
+  lt,
+  lte,
+  ne,
+  not,
+  notBetween,
+  notExists,
+  notIlike,
+  notInArray,
+  or
+} from "drizzle-orm";
+import { bindIfParam, sql } from "drizzle-orm";
+function isSQLWrapper(value) {
+  return typeof value === "object" && value !== null && "sql" in value && typeof value.sql !== "undefined";
+}
+function isPgTable(value) {
+  return typeof value === "object" && value !== null && Symbol.for("drizzle:Name") in value;
+}
+var EncryptionOperatorError = class extends Error {
+  constructor(message, context) {
+    super(message);
+    this.context = context;
+    this.name = "EncryptionOperatorError";
+  }
+};
+var EncryptionConfigError = class extends EncryptionOperatorError {
+  constructor(message, context) {
+    super(message, context);
+    this.name = "EncryptionConfigError";
+  }
+};
+function getDrizzleTableName(drizzleTable) {
+  if (!isPgTable(drizzleTable)) {
+    return void 0;
+  }
+  const tableWithSymbol = drizzleTable;
+  return tableWithSymbol[Symbol.for("drizzle:Name")];
+}
+function getDrizzleTableFromColumn(drizzleColumn) {
+  const column = drizzleColumn;
+  return column.table;
+}
+function getEncryptedTableFromColumn(drizzleColumn, tableCache) {
+  const drizzleTable = getDrizzleTableFromColumn(drizzleColumn);
+  if (!drizzleTable) {
+    return void 0;
+  }
+  const tableName = getDrizzleTableName(drizzleTable);
+  if (!tableName) {
+    return void 0;
+  }
+  let encryptedTable2 = tableCache.get(tableName);
+  if (encryptedTable2) {
+    return encryptedTable2;
+  }
+  try {
+    encryptedTable2 = extractEncryptionSchema(drizzleTable);
+    tableCache.set(tableName, encryptedTable2);
+    return encryptedTable2;
+  } catch {
+    return void 0;
+  }
+}
+function getEncryptedColumn(drizzleColumn, encryptedTable2) {
+  const column = drizzleColumn;
+  const columnName = column.name;
+  if (!columnName) {
+    return void 0;
+  }
+  const tableRecord = encryptedTable2;
+  return tableRecord[columnName];
+}
+function getColumnInfo(drizzleColumn, encryptedTable2, tableCache) {
+  const column = drizzleColumn;
+  const columnName = column.name || "unknown";
+  let resolvedTable = encryptedTable2;
+  if (!resolvedTable) {
+    resolvedTable = getEncryptedTableFromColumn(drizzleColumn, tableCache);
+  }
+  const drizzleTable = getDrizzleTableFromColumn(drizzleColumn);
+  const tableName = getDrizzleTableName(drizzleTable);
+  if (!resolvedTable) {
+    const config2 = getEncryptedColumnConfig(columnName, drizzleColumn);
+    return {
+      encryptedColumn: void 0,
+      config: config2,
+      encryptedTable: void 0,
+      columnName,
+      tableName
+    };
+  }
+  const encryptedColumn2 = getEncryptedColumn(drizzleColumn, resolvedTable);
+  const config = getEncryptedColumnConfig(columnName, drizzleColumn);
+  return {
+    encryptedColumn: encryptedColumn2,
+    config,
+    encryptedTable: resolvedTable,
+    columnName,
+    tableName
+  };
+}
+function toPlaintext(value) {
+  if (typeof value === "boolean") {
+    return value ? 1 : 0;
+  }
+  if (typeof value === "string" || typeof value === "number") {
+    return value;
+  }
+  if (value instanceof Date) {
+    return value.toISOString();
+  }
+  return String(value);
+}
+async function encryptValues(encryptionClient, values, encryptedTable2, tableCache) {
+  if (values.length === 0) {
+    return [];
+  }
+  const valuesToEncrypt = [];
+  const results = new Array(values.length);
+  for (let i = 0; i < values.length; i++) {
+    const { value, column, queryType } = values[i];
+    const columnInfo = getColumnInfo(column, encryptedTable2, tableCache);
+    if (!columnInfo.encryptedColumn || !columnInfo.config || !columnInfo.encryptedTable) {
+      results[i] = value;
+      continue;
+    }
+    const plaintextValue = toPlaintext(value);
+    valuesToEncrypt.push({
+      value: plaintextValue,
+      column,
+      columnInfo,
+      queryType,
+      originalIndex: i
+    });
+  }
+  if (valuesToEncrypt.length === 0) {
+    return results;
+  }
+  const columnGroups = /* @__PURE__ */ new Map();
+  let valueIndex = 0;
+  for (const {
+    value,
+    columnInfo,
+    queryType,
+    originalIndex
+  } of valuesToEncrypt) {
+    if (!columnInfo.config || !columnInfo.encryptedColumn || !columnInfo.encryptedTable) {
+      continue;
+    }
+    const columnName = columnInfo.config.name;
+    const groupKey = `${columnInfo.tableName ?? "unknown"}/${columnName}`;
+    let group = columnGroups.get(groupKey);
+    if (!group) {
+      group = {
+        column: columnInfo.encryptedColumn,
+        table: columnInfo.encryptedTable,
+        columnName,
+        values: [],
+        resultIndices: []
+      };
+      columnGroups.set(groupKey, group);
+    }
+    group.values.push({ value, index: valueIndex++, queryType });
+    group.resultIndices.push(originalIndex);
+  }
+  for (const [, group] of columnGroups) {
+    const { columnName } = group;
+    try {
+      const terms = group.values.map((v) => ({
+        value: v.value,
+        column: group.column,
+        table: group.table,
+        queryType: v.queryType
+      }));
+      const encryptedTerms = await encryptionClient.encryptQuery(terms);
+      if (encryptedTerms.failure) {
+        throw new EncryptionOperatorError(
+          `Failed to encrypt query terms for column "${columnName}": ${encryptedTerms.failure.message}`,
+          { columnName }
+        );
+      }
+      for (let i = 0; i < group.values.length; i++) {
+        const resultIndex = group.resultIndices[i] ?? -1;
+        if (resultIndex >= 0 && resultIndex < results.length) {
+          results[resultIndex] = encryptedTerms.data[i];
+        }
+      }
+    } catch (error) {
+      if (error instanceof EncryptionOperatorError) {
+        throw error;
+      }
+      const errorMessage = error instanceof Error ? error.message : String(error);
+      throw new EncryptionOperatorError(
+        `Unexpected error encrypting values for column "${columnName}": ${errorMessage}`,
+        { columnName }
+      );
+    }
+  }
+  return results;
+}
+async function encryptValue(encryptionClient, value, drizzleColumn, encryptedTable2, tableCache, queryType) {
+  const results = await encryptValues(
+    encryptionClient,
+    [{ value, column: drizzleColumn, queryType }],
+    encryptedTable2,
+    tableCache
+  );
+  return results[0];
+}
+function isLazyOperator(value) {
+  return typeof value === "object" && value !== null && "__isLazyOperator" in value && value.__isLazyOperator === true;
+}
+function createLazyOperator(operator, left, right, execute, needsEncryption, columnInfo, encryptionClient, defaultTable, tableCache, min, max, queryType) {
+  let resolvedSQL;
+  let encryptionPromise;
+  const lazyOp = {
+    __isLazyOperator: true,
+    operator,
+    queryType,
+    left,
+    right,
+    min,
+    max,
+    needsEncryption,
+    columnInfo,
+    execute
+  };
+  const promise = new Promise((resolve, reject) => {
+    queueMicrotask(async () => {
+      if (resolvedSQL !== void 0) {
+        resolve(resolvedSQL);
+        return;
+      }
+      try {
+        if (!encryptionPromise) {
+          encryptionPromise = executeLazyOperatorDirect(
+            lazyOp,
+            encryptionClient,
+            defaultTable,
+            tableCache
+          );
+        }
+        const sql2 = await encryptionPromise;
+        resolvedSQL = sql2;
+        resolve(sql2);
+      } catch (error) {
+        reject(error);
+      }
+    });
+  });
+  return Object.assign(promise, lazyOp);
+}
+async function executeLazyOperator(lazyOp, encryptedValues) {
+  if (!lazyOp.needsEncryption) {
+    return lazyOp.execute(lazyOp.right);
+  }
+  if (lazyOp.min !== void 0 && lazyOp.max !== void 0) {
+    let encryptedMin;
+    let encryptedMax;
+    if (encryptedValues && encryptedValues.length >= 2) {
+      encryptedMin = encryptedValues[0]?.encrypted;
+      encryptedMax = encryptedValues[1]?.encrypted;
+    } else {
+      throw new EncryptionOperatorError(
+        "Between operator requires both min and max encrypted values",
+        {
+          columnName: lazyOp.columnInfo.columnName,
+          tableName: lazyOp.columnInfo.tableName,
+          operator: lazyOp.operator
+        }
+      );
+    }
+    if (encryptedMin === void 0 || encryptedMax === void 0) {
+      throw new EncryptionOperatorError(
+        "Between operator requires both min and max values to be encrypted",
+        {
+          columnName: lazyOp.columnInfo.columnName,
+          tableName: lazyOp.columnInfo.tableName,
+          operator: lazyOp.operator
+        }
+      );
+    }
+    return lazyOp.execute(void 0, encryptedMin, encryptedMax);
+  }
+  let encrypted;
+  if (encryptedValues && encryptedValues.length > 0) {
+    encrypted = encryptedValues[0]?.encrypted;
+  } else {
+    throw new EncryptionOperatorError(
+      "Operator requires encrypted value but none provided",
+      {
+        columnName: lazyOp.columnInfo.columnName,
+        tableName: lazyOp.columnInfo.tableName,
+        operator: lazyOp.operator
+      }
+    );
+  }
+  if (encrypted === void 0) {
+    throw new EncryptionOperatorError(
+      "Encryption failed or value was not encrypted",
+      {
+        columnName: lazyOp.columnInfo.columnName,
+        tableName: lazyOp.columnInfo.tableName,
+        operator: lazyOp.operator
+      }
+    );
+  }
+  return lazyOp.execute(encrypted);
+}
+async function executeLazyOperatorDirect(lazyOp, encryptionClient, defaultTable, tableCache) {
+  if (!lazyOp.needsEncryption) {
+    return lazyOp.execute(lazyOp.right);
+  }
+  if (lazyOp.min !== void 0 && lazyOp.max !== void 0) {
+    const [encryptedMin, encryptedMax] = await encryptValues(
+      encryptionClient,
+      [
+        { value: lazyOp.min, column: lazyOp.left, queryType: lazyOp.queryType },
+        { value: lazyOp.max, column: lazyOp.left, queryType: lazyOp.queryType }
+      ],
+      defaultTable,
+      tableCache
+    );
+    return lazyOp.execute(void 0, encryptedMin, encryptedMax);
+  }
+  const encrypted = await encryptValue(
+    encryptionClient,
+    lazyOp.right,
+    lazyOp.left,
+    defaultTable,
+    tableCache,
+    lazyOp.queryType
+  );
+  return lazyOp.execute(encrypted);
+}
+function createComparisonOperator(operator, left, right, columnInfo, encryptionClient, defaultTable, tableCache) {
+  const { config } = columnInfo;
+  const requiresOrderAndRange = ["gt", "gte", "lt", "lte"].includes(operator);
+  if (requiresOrderAndRange) {
+    if (!config?.orderAndRange) {
+      switch (operator) {
+        case "gt":
+          return gt(left, right);
+        case "gte":
+          return gte(left, right);
+        case "lt":
+          return lt(left, right);
+        case "lte":
+          return lte(left, right);
+      }
+    }
+    const executeFn = (encrypted) => {
+      if (encrypted === void 0) {
+        throw new EncryptionOperatorError(
+          `Encryption failed for ${operator} operator`,
+          {
+            columnName: columnInfo.columnName,
+            tableName: columnInfo.tableName,
+            operator
+          }
+        );
+      }
+      return sql`eql_v2.${sql.raw(operator)}(${left}, ${bindIfParam(encrypted, left)})`;
+    };
+    return createLazyOperator(
+      operator,
+      left,
+      right,
+      executeFn,
+      true,
+      columnInfo,
+      encryptionClient,
+      defaultTable,
+      tableCache,
+      void 0,
+      // min
+      void 0,
+      // max
+      queryTypes.orderAndRange
+    );
+  }
+  const requiresEquality = ["eq", "ne"].includes(operator);
+  if (requiresEquality && config?.equality) {
+    const executeFn = (encrypted) => {
+      if (encrypted === void 0) {
+        throw new EncryptionOperatorError(
+          `Encryption failed for ${operator} operator`,
+          {
+            columnName: columnInfo.columnName,
+            tableName: columnInfo.tableName,
+            operator
+          }
+        );
+      }
+      return operator === "eq" ? eq(left, encrypted) : ne(left, encrypted);
+    };
+    return createLazyOperator(
+      operator,
+      left,
+      right,
+      executeFn,
+      true,
+      columnInfo,
+      encryptionClient,
+      defaultTable,
+      tableCache,
+      void 0,
+      // min
+      void 0,
+      // max
+      queryTypes.equality
+    );
+  }
+  return operator === "eq" ? eq(left, right) : ne(left, right);
+}
+function createRangeOperator(operator, left, min, max, columnInfo, encryptionClient, defaultTable, tableCache) {
+  const { config } = columnInfo;
+  if (!config?.orderAndRange) {
+    return operator === "between" ? between(left, min, max) : notBetween(left, min, max);
+  }
+  const executeFn = (_encrypted, encryptedMin, encryptedMax) => {
+    if (encryptedMin === void 0 || encryptedMax === void 0) {
+      throw new EncryptionOperatorError(
+        `${operator} operator requires both min and max values`,
+        {
+          columnName: columnInfo.columnName,
+          tableName: columnInfo.tableName,
+          operator
+        }
+      );
+    }
+    const rangeCondition = sql`eql_v2.gte(${left}, ${bindIfParam(encryptedMin, left)}) AND eql_v2.lte(${left}, ${bindIfParam(encryptedMax, left)})`;
+    return operator === "between" ? rangeCondition : sql`NOT (${rangeCondition})`;
+  };
+  return createLazyOperator(
+    operator,
+    left,
+    void 0,
+    executeFn,
+    true,
+    columnInfo,
+    encryptionClient,
+    defaultTable,
+    tableCache,
+    min,
+    max,
+    queryTypes.orderAndRange
+  );
+}
+function createTextSearchOperator(operator, left, right, columnInfo, encryptionClient, defaultTable, tableCache) {
+  const { config } = columnInfo;
+  if (!config?.freeTextSearch) {
+    const rightValue = right;
+    switch (operator) {
+      case "like":
+        return like(left, rightValue);
+      case "ilike":
+        return ilike(left, rightValue);
+      case "notIlike":
+        return notIlike(left, rightValue);
+    }
+  }
+  const executeFn = (encrypted) => {
+    if (encrypted === void 0) {
+      throw new EncryptionOperatorError(
+        `Encryption failed for ${operator} operator`,
+        {
+          columnName: columnInfo.columnName,
+          tableName: columnInfo.tableName,
+          operator
+        }
+      );
+    }
+    const sqlFn = sql`eql_v2.${sql.raw(operator === "notIlike" ? "ilike" : operator)}(${left}, ${bindIfParam(encrypted, left)})`;
+    return operator === "notIlike" ? sql`NOT (${sqlFn})` : sqlFn;
+  };
+  return createLazyOperator(
+    operator,
+    left,
+    right,
+    executeFn,
+    true,
+    columnInfo,
+    encryptionClient,
+    defaultTable,
+    tableCache,
+    void 0,
+    // min
+    void 0,
+    // max
+    queryTypes.freeTextSearch
+  );
+}
+function createJsonbOperator(operator, left, right, columnInfo, encryptionClient, defaultTable, tableCache) {
+  const { config } = columnInfo;
+  const encryptedSelector = (value) => sql`${bindIfParam(value, left)}::eql_v2_encrypted`;
+  if (!config?.searchableJson) {
+    throw new EncryptionOperatorError(
+      `The ${operator} operator requires searchableJson to be enabled on the column configuration.`,
+      {
+        columnName: columnInfo.columnName,
+        tableName: columnInfo.tableName,
+        operator
+      }
+    );
+  }
+  const executeFn = (encrypted) => {
+    if (encrypted === void 0) {
+      throw new EncryptionOperatorError(
+        `Encryption failed for ${operator} operator`,
+        {
+          columnName: columnInfo.columnName,
+          tableName: columnInfo.tableName,
+          operator
+        }
+      );
+    }
+    switch (operator) {
+      case "jsonbPathQueryFirst":
+        return sql`eql_v2.jsonb_path_query_first(${left}, ${encryptedSelector(encrypted)})`;
+      case "jsonbGet":
+        return sql`${left} -> ${encryptedSelector(encrypted)}`;
+      case "jsonbPathExists":
+        return sql`eql_v2.jsonb_path_exists(${left}, ${encryptedSelector(encrypted)})`;
+    }
+  };
+  return createLazyOperator(
+    operator,
+    left,
+    right,
+    executeFn,
+    true,
+    columnInfo,
+    encryptionClient,
+    defaultTable,
+    tableCache,
+    void 0,
+    void 0,
+    queryTypes.steVecSelector
+  );
+}
+function createEncryptionOperators(encryptionClient) {
+  const tableCache = /* @__PURE__ */ new Map();
+  const defaultTable = void 0;
+  const encryptedEq = (left, right) => {
+    const columnInfo = getColumnInfo(left, defaultTable, tableCache);
+    return createComparisonOperator(
+      "eq",
+      left,
+      right,
+      columnInfo,
+      encryptionClient,
+      defaultTable,
+      tableCache
+    );
+  };
+  const encryptedNe = (left, right) => {
+    const columnInfo = getColumnInfo(left, defaultTable, tableCache);
+    return createComparisonOperator(
+      "ne",
+      left,
+      right,
+      columnInfo,
+      encryptionClient,
+      defaultTable,
+      tableCache
+    );
+  };
+  const encryptedGt = (left, right) => {
+    const columnInfo = getColumnInfo(left, defaultTable, tableCache);
+    return createComparisonOperator(
+      "gt",
+      left,
+      right,
+      columnInfo,
+      encryptionClient,
+      defaultTable,
+      tableCache
+    );
+  };
+  const encryptedGte = (left, right) => {
+    const columnInfo = getColumnInfo(left, defaultTable, tableCache);
+    return createComparisonOperator(
+      "gte",
+      left,
+      right,
+      columnInfo,
+      encryptionClient,
+      defaultTable,
+      tableCache
+    );
+  };
+  const encryptedLt = (left, right) => {
+    const columnInfo = getColumnInfo(left, defaultTable, tableCache);
+    return createComparisonOperator(
+      "lt",
+      left,
+      right,
+      columnInfo,
+      encryptionClient,
+      defaultTable,
+      tableCache
+    );
+  };
+  const encryptedLte = (left, right) => {
+    const columnInfo = getColumnInfo(left, defaultTable, tableCache);
+    return createComparisonOperator(
+      "lte",
+      left,
+      right,
+      columnInfo,
+      encryptionClient,
+      defaultTable,
+      tableCache
+    );
+  };
+  const encryptedBetween = (left, min, max) => {
+    const columnInfo = getColumnInfo(left, defaultTable, tableCache);
+    return createRangeOperator(
+      "between",
+      left,
+      min,
+      max,
+      columnInfo,
+      encryptionClient,
+      defaultTable,
+      tableCache
+    );
+  };
+  const encryptedNotBetween = (left, min, max) => {
+    const columnInfo = getColumnInfo(left, defaultTable, tableCache);
+    return createRangeOperator(
+      "notBetween",
+      left,
+      min,
+      max,
+      columnInfo,
+      encryptionClient,
+      defaultTable,
+      tableCache
+    );
+  };
+  const encryptedLike = (left, right) => {
+    const columnInfo = getColumnInfo(left, defaultTable, tableCache);
+    return createTextSearchOperator(
+      "like",
+      left,
+      right,
+      columnInfo,
+      encryptionClient,
+      defaultTable,
+      tableCache
+    );
+  };
+  const encryptedIlike = (left, right) => {
+    const columnInfo = getColumnInfo(left, defaultTable, tableCache);
+    return createTextSearchOperator(
+      "ilike",
+      left,
+      right,
+      columnInfo,
+      encryptionClient,
+      defaultTable,
+      tableCache
+    );
+  };
+  const encryptedNotIlike = (left, right) => {
+    const columnInfo = getColumnInfo(left, defaultTable, tableCache);
+    return createTextSearchOperator(
+      "notIlike",
+      left,
+      right,
+      columnInfo,
+      encryptionClient,
+      defaultTable,
+      tableCache
+    );
+  };
+  const encryptedJsonbPathQueryFirst = (left, right) => {
+    const columnInfo = getColumnInfo(left, defaultTable, tableCache);
+    return createJsonbOperator(
+      "jsonbPathQueryFirst",
+      left,
+      right,
+      columnInfo,
+      encryptionClient,
+      defaultTable,
+      tableCache
+    );
+  };
+  const encryptedJsonbGet = (left, right) => {
+    const columnInfo = getColumnInfo(left, defaultTable, tableCache);
+    return createJsonbOperator(
+      "jsonbGet",
+      left,
+      right,
+      columnInfo,
+      encryptionClient,
+      defaultTable,
+      tableCache
+    );
+  };
+  const encryptedJsonbPathExists = (left, right) => {
+    const columnInfo = getColumnInfo(left, defaultTable, tableCache);
+    return createJsonbOperator(
+      "jsonbPathExists",
+      left,
+      right,
+      columnInfo,
+      encryptionClient,
+      defaultTable,
+      tableCache
+    );
+  };
+  const encryptedInArray = async (left, right) => {
+    if (isSQLWrapper(right)) {
+      return inArray(left, right);
+    }
+    const columnInfo = getColumnInfo(left, defaultTable, tableCache);
+    if (!columnInfo.config?.equality || !Array.isArray(right)) {
+      return inArray(left, right);
+    }
+    const encryptedValues = await encryptValues(
+      encryptionClient,
+      right.map((value) => ({
+        value,
+        column: left,
+        queryType: queryTypes.equality
+      })),
+      defaultTable,
+      tableCache
+    );
+    const conditions = encryptedValues.filter((encrypted) => encrypted !== void 0).map((encrypted) => eq(left, encrypted));
+    if (conditions.length === 0) {
+      return sql`false`;
+    }
+    const combined = or(...conditions);
+    return combined ?? sql`false`;
+  };
+  const encryptedNotInArray = async (left, right) => {
+    if (isSQLWrapper(right)) {
+      return notInArray(
+        left,
+        right
+      );
+    }
+    const columnInfo = getColumnInfo(left, defaultTable, tableCache);
+    if (!columnInfo.config?.equality || !Array.isArray(right)) {
+      return notInArray(left, right);
+    }
+    const encryptedValues = await encryptValues(
+      encryptionClient,
+      right.map((value) => ({
+        value,
+        column: left,
+        queryType: queryTypes.equality
+      })),
+      defaultTable,
+      tableCache
+    );
+    const conditions = encryptedValues.filter((encrypted) => encrypted !== void 0).map((encrypted) => ne(left, encrypted));
+    if (conditions.length === 0) {
+      return sql`true`;
+    }
+    const combined = and(...conditions);
+    return combined ?? sql`true`;
+  };
+  const encryptedAsc = (column) => {
+    const columnInfo = getColumnInfo(column, defaultTable, tableCache);
+    if (columnInfo.config?.orderAndRange) {
+      return asc(sql`eql_v2.order_by(${column})`);
+    }
+    return asc(column);
+  };
+  const encryptedDesc = (column) => {
+    const columnInfo = getColumnInfo(column, defaultTable, tableCache);
+    if (columnInfo.config?.orderAndRange) {
+      return desc(sql`eql_v2.order_by(${column})`);
+    }
+    return desc(column);
+  };
+  const encryptedAnd = async (...conditions) => {
+    const lazyOperators = [];
+    const regularConditions = [];
+    const regularPromises = [];
+    for (const condition of conditions) {
+      if (condition === void 0) {
+        continue;
+      }
+      if (isLazyOperator(condition)) {
+        lazyOperators.push(condition);
+      } else if (condition instanceof Promise) {
+        if (isLazyOperator(condition)) {
+          lazyOperators.push(condition);
+        } else {
+          regularPromises.push(condition);
+        }
+      } else {
+        regularConditions.push(condition);
+      }
+    }
+    if (lazyOperators.length === 0) {
+      const allConditions2 = [
+        ...regularConditions,
+        ...await Promise.all(regularPromises)
+      ];
+      return and(...allConditions2) ?? sql`true`;
+    }
+    const valuesToEncrypt = [];
+    for (let i = 0; i < lazyOperators.length; i++) {
+      const lazyOp = lazyOperators[i];
+      if (!lazyOp.needsEncryption) {
+        continue;
+      }
+      if (lazyOp.min !== void 0 && lazyOp.max !== void 0) {
+        valuesToEncrypt.push({
+          value: lazyOp.min,
+          column: lazyOp.left,
+          columnInfo: lazyOp.columnInfo,
+          queryType: lazyOp.queryType,
+          lazyOpIndex: i,
+          isMin: true
+        });
+        valuesToEncrypt.push({
+          value: lazyOp.max,
+          column: lazyOp.left,
+          columnInfo: lazyOp.columnInfo,
+          queryType: lazyOp.queryType,
+          lazyOpIndex: i,
+          isMax: true
+        });
+      } else if (lazyOp.right !== void 0) {
+        valuesToEncrypt.push({
+          value: lazyOp.right,
+          column: lazyOp.left,
+          columnInfo: lazyOp.columnInfo,
+          queryType: lazyOp.queryType,
+          lazyOpIndex: i
+        });
+      }
+    }
+    const encryptedResults = await encryptValues(
+      encryptionClient,
+      valuesToEncrypt.map((v) => ({
+        value: v.value,
+        column: v.column,
+        queryType: v.queryType
+      })),
+      defaultTable,
+      tableCache
+    );
+    const encryptedByLazyOp = /* @__PURE__ */ new Map();
+    for (let i = 0; i < valuesToEncrypt.length; i++) {
+      const { lazyOpIndex, isMin, isMax } = valuesToEncrypt[i];
+      const encrypted = encryptedResults[i];
+      let group = encryptedByLazyOp.get(lazyOpIndex);
+      if (!group) {
+        group = {};
+        encryptedByLazyOp.set(lazyOpIndex, group);
+      }
+      if (isMin) {
+        group.min = encrypted;
+      } else if (isMax) {
+        group.max = encrypted;
+      } else {
+        group.value = encrypted;
+      }
+    }
+    const sqlConditions = [];
+    for (let i = 0; i < lazyOperators.length; i++) {
+      const lazyOp = lazyOperators[i];
+      const encrypted = encryptedByLazyOp.get(i);
+      let sqlCondition;
+      if (lazyOp.needsEncryption && encrypted) {
+        const encryptedValues = [];
+        if (encrypted.value !== void 0) {
+          encryptedValues.push({
+            value: lazyOp.right,
+            encrypted: encrypted.value
+          });
+        }
+        if (encrypted.min !== void 0) {
+          encryptedValues.push({ value: lazyOp.min, encrypted: encrypted.min });
+        }
+        if (encrypted.max !== void 0) {
+          encryptedValues.push({ value: lazyOp.max, encrypted: encrypted.max });
+        }
+        sqlCondition = await executeLazyOperator(lazyOp, encryptedValues);
+      } else {
+        sqlCondition = lazyOp.execute(lazyOp.right);
+      }
+      sqlConditions.push(sqlCondition);
+    }
+    const regularPromisesResults = await Promise.all(regularPromises);
+    const allConditions = [
+      ...regularConditions,
+      ...sqlConditions,
+      ...regularPromisesResults
+    ];
+    return and(...allConditions) ?? sql`true`;
+  };
+  const encryptedOr = async (...conditions) => {
+    const lazyOperators = [];
+    const regularConditions = [];
+    const regularPromises = [];
+    for (const condition of conditions) {
+      if (condition === void 0) {
+        continue;
+      }
+      if (isLazyOperator(condition)) {
+        lazyOperators.push(condition);
+      } else if (condition instanceof Promise) {
+        if (isLazyOperator(condition)) {
+          lazyOperators.push(condition);
+        } else {
+          regularPromises.push(condition);
+        }
+      } else {
+        regularConditions.push(condition);
+      }
+    }
+    if (lazyOperators.length === 0) {
+      const allConditions2 = [
+        ...regularConditions,
+        ...await Promise.all(regularPromises)
+      ];
+      return or(...allConditions2) ?? sql`false`;
+    }
+    const valuesToEncrypt = [];
+    for (let i = 0; i < lazyOperators.length; i++) {
+      const lazyOp = lazyOperators[i];
+      if (!lazyOp.needsEncryption) {
+        continue;
+      }
+      if (lazyOp.min !== void 0 && lazyOp.max !== void 0) {
+        valuesToEncrypt.push({
+          value: lazyOp.min,
+          column: lazyOp.left,
+          columnInfo: lazyOp.columnInfo,
+          queryType: lazyOp.queryType,
+          lazyOpIndex: i,
+          isMin: true
+        });
+        valuesToEncrypt.push({
+          value: lazyOp.max,
+          column: lazyOp.left,
+          columnInfo: lazyOp.columnInfo,
+          queryType: lazyOp.queryType,
+          lazyOpIndex: i,
+          isMax: true
+        });
+      } else if (lazyOp.right !== void 0) {
+        valuesToEncrypt.push({
+          value: lazyOp.right,
+          column: lazyOp.left,
+          columnInfo: lazyOp.columnInfo,
+          queryType: lazyOp.queryType,
+          lazyOpIndex: i
+        });
+      }
+    }
+    const encryptedResults = await encryptValues(
+      encryptionClient,
+      valuesToEncrypt.map((v) => ({
+        value: v.value,
+        column: v.column,
+        queryType: v.queryType
+      })),
+      defaultTable,
+      tableCache
+    );
+    const encryptedByLazyOp = /* @__PURE__ */ new Map();
+    for (let i = 0; i < valuesToEncrypt.length; i++) {
+      const { lazyOpIndex, isMin, isMax } = valuesToEncrypt[i];
+      const encrypted = encryptedResults[i];
+      let group = encryptedByLazyOp.get(lazyOpIndex);
+      if (!group) {
+        group = {};
+        encryptedByLazyOp.set(lazyOpIndex, group);
+      }
+      if (isMin) {
+        group.min = encrypted;
+      } else if (isMax) {
+        group.max = encrypted;
+      } else {
+        group.value = encrypted;
+      }
+    }
+    const sqlConditions = [];
+    for (let i = 0; i < lazyOperators.length; i++) {
+      const lazyOp = lazyOperators[i];
+      const encrypted = encryptedByLazyOp.get(i);
+      let sqlCondition;
+      if (lazyOp.needsEncryption && encrypted) {
+        const encryptedValues = [];
+        if (encrypted.value !== void 0) {
+          encryptedValues.push({
+            value: lazyOp.right,
+            encrypted: encrypted.value
+          });
+        }
+        if (encrypted.min !== void 0) {
+          encryptedValues.push({ value: lazyOp.min, encrypted: encrypted.min });
+        }
+        if (encrypted.max !== void 0) {
+          encryptedValues.push({ value: lazyOp.max, encrypted: encrypted.max });
+        }
+        sqlCondition = await executeLazyOperator(lazyOp, encryptedValues);
+      } else {
+        sqlCondition = lazyOp.execute(lazyOp.right);
+      }
+      sqlConditions.push(sqlCondition);
+    }
+    const regularPromisesResults = await Promise.all(regularPromises);
+    const allConditions = [
+      ...regularConditions,
+      ...sqlConditions,
+      ...regularPromisesResults
+    ];
+    return or(...allConditions) ?? sql`false`;
+  };
+  return {
+    // Comparison operators
+    eq: encryptedEq,
+    ne: encryptedNe,
+    gt: encryptedGt,
+    gte: encryptedGte,
+    lt: encryptedLt,
+    lte: encryptedLte,
+    // Range operators
+    between: encryptedBetween,
+    notBetween: encryptedNotBetween,
+    // Text search operators
+    like: encryptedLike,
+    ilike: encryptedIlike,
+    notIlike: encryptedNotIlike,
+    // Searchable JSON operators
+    jsonbPathQueryFirst: encryptedJsonbPathQueryFirst,
+    jsonbGet: encryptedJsonbGet,
+    jsonbPathExists: encryptedJsonbPathExists,
+    // Array operators
+    inArray: encryptedInArray,
+    notInArray: encryptedNotInArray,
+    // Sorting operators
+    asc: encryptedAsc,
+    desc: encryptedDesc,
+    // AND operator - batches encryption operations
+    and: encryptedAnd,
+    // OR operator - batches encryption operations
+    or: encryptedOr,
+    // Operators that don't need encryption (pass through to Drizzle)
+    exists,
+    notExists,
+    isNull,
+    isNotNull,
+    not,
+    // Array operators that work with arrays directly (not encrypted values)
+    arrayContains,
+    arrayContained,
+    arrayOverlaps
+  };
+}
+
+// src/drizzle/index.ts
+var columnConfigMap = /* @__PURE__ */ new Map();
+var encryptedType = (name, config) => {
+  const customColumnType = customType({
+    dataType() {
+      return "eql_v2_encrypted";
+    },
+    toDriver(value) {
+      const jsonStr = JSON.stringify(value);
+      const escaped = jsonStr.replace(/"/g, '""');
+      return `("${escaped}")`;
+    },
+    fromDriver(value) {
+      const parseComposite = (str) => {
+        if (!str || str === "") return null;
+        const trimmed = str.trim();
+        if (trimmed.startsWith("(") && trimmed.endsWith(")")) {
+          let inner = trimmed.slice(1, -1);
+          inner = inner.replace(/""/g, '"');
+          if (inner.startsWith('"') && inner.endsWith('"')) {
+            const stripped = inner.slice(1, -1);
+            return JSON.parse(stripped);
+          }
+          if (inner.startsWith("{") || inner.startsWith("[")) {
+            return JSON.parse(inner);
+          }
+          return inner;
+        }
+        return JSON.parse(str);
+      };
+      return parseComposite(value);
+    }
+  });
+  const column = customColumnType(name);
+  const fullConfig = {
+    name,
+    ...config
+  };
+  columnConfigMap.set(name, fullConfig);
+  column._encryptionConfig = fullConfig;
+  return column;
+};
+function getEncryptedColumnConfig(columnName, column) {
+  if (column && typeof column === "object") {
+    const columnAny = column;
+    const isEncrypted = columnAny.sqlName === "eql_v2_encrypted" || columnAny.dataType === "eql_v2_encrypted" || columnAny.dataType && typeof columnAny.dataType === "function" && columnAny.dataType() === "eql_v2_encrypted";
+    if (isEncrypted) {
+      if (columnAny._encryptionConfig) {
+        return columnAny._encryptionConfig;
+      }
+      const lookupName = columnAny.name || columnName;
+      return columnConfigMap.get(lookupName);
+    }
+  }
+  return void 0;
+}
+export {
+  EncryptionConfigError,
+  EncryptionOperatorError,
+  createEncryptionOperators,
+  encryptedType,
+  extractEncryptionSchema,
+  getEncryptedColumnConfig
+};
+//# sourceMappingURL=index.js.map