@cipherstash/stack 0.1.0

package/dist/dynamodb/index.cjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/dynamodb/index.ts","../../src/dynamodb/operations/bulk-decrypt-models.ts","../../src/dynamodb/helpers.ts","../../src/dynamodb/operations/base-operation.ts","../../src/dynamodb/operations/bulk-encrypt-models.ts","../../src/dynamodb/operations/decrypt-model.ts","../../src/dynamodb/operations/encrypt-model.ts"],"sourcesContent":["import type { ProtectTable, ProtectTableColumn } from '@/schema'\nimport type { EncryptedValue } from '@/types'\nimport { BulkDecryptModelsOperation } from './operations/bulk-decrypt-models'\nimport { BulkEncryptModelsOperation } from './operations/bulk-encrypt-models'\nimport { DecryptModelOperation } from './operations/decrypt-model'\nimport { EncryptModelOperation } from './operations/encrypt-model'\nimport type {\n  EncryptedDynamoDBConfig,\n  EncryptedDynamoDBInstance,\n} from './types'\n\n/**\n * Create an encrypted DynamoDB helper bound to an `EncryptionClient`.\n *\n * Returns an object with `encryptModel`, `decryptModel`, `bulkEncryptModels`,\n * and `bulkDecryptModels` methods that transparently encrypt/decrypt DynamoDB\n * items according to the provided table schema.\n *\n * @param config - Configuration containing the `encryptionClient` and optional\n *   logging / error-handling callbacks.\n * @returns An {@link EncryptedDynamoDBInstance} with encrypt/decrypt operations.\n *\n * @example\n * ```typescript\n * import { Encryption } from \"@cipherstash/stack\"\n * import { encryptedDynamoDB } from \"@cipherstash/stack/dynamodb\"\n * import { encryptedTable, encryptedColumn } from \"@cipherstash/stack/schema\"\n *\n * const users = encryptedTable(\"users\", {\n *   email: encryptedColumn(\"email\").equality(),\n * })\n *\n * const client = await Encryption({ schemas: [users] })\n * const dynamo = encryptedDynamoDB({ encryptionClient: client })\n *\n * const encrypted = await dynamo.encryptModel({ email: \"a@b.com\" }, users)\n * ```\n */\nexport function encryptedDynamoDB(\n  config: EncryptedDynamoDBConfig,\n): EncryptedDynamoDBInstance {\n  const { encryptionClient, options } = config\n\n  return {\n    encryptModel<T extends Record<string, unknown>>(\n      item: T,\n      table: ProtectTable<ProtectTableColumn>,\n    ) {\n      return new EncryptModelOperation<T>(\n        encryptionClient,\n        item,\n        table,\n        options,\n      )\n    },\n\n    bulkEncryptModels<T extends Record<string, unknown>>(\n      items: T[],\n      table: ProtectTable<ProtectTableColumn>,\n    ) {\n      return new BulkEncryptModelsOperation<T>(\n        encryptionClient,\n        items,\n        table,\n        options,\n      )\n    },\n\n    decryptModel<T extends Record<string, unknown>>(\n      item: Record<string, EncryptedValue | unknown>,\n      table: ProtectTable<ProtectTableColumn>,\n    ) {\n      return new DecryptModelOperation<T>(\n        encryptionClient,\n        item,\n        table,\n        options,\n      )\n    },\n\n    bulkDecryptModels<T extends Record<string, unknown>>(\n      items: Record<string, EncryptedValue | unknown>[],\n      table: ProtectTable<ProtectTableColumn>,\n    ) {\n      return new BulkDecryptModelsOperation<T>(\n        encryptionClient,\n        items,\n        table,\n        options,\n      )\n    },\n  }\n}\n\nexport type {\n  EncryptedDynamoDBConfig,\n  EncryptedDynamoDBError,\n  EncryptedDynamoDBInstance,\n} from './types'\n","import type { EncryptionClient } from '@/encryption/ffi'\nimport type { ProtectTable, ProtectTableColumn } from '@/schema'\nimport type { Decrypted, EncryptedValue } from '@/types'\nimport { type Result, withResult } from '@byteslice/result'\nimport { handleError, toItemWithEqlPayloads } from '../helpers'\nimport type { EncryptedDynamoDBError } from '../types'\nimport {\n  DynamoDBOperation,\n  type DynamoDBOperationOptions,\n} from './base-operation'\n\nexport class BulkDecryptModelsOperation<\n  T extends Record<string, unknown>,\n> extends DynamoDBOperation<Decrypted<T>[]> {\n  private encryptionClient: EncryptionClient\n  private items: Record<string, EncryptedValue | unknown>[]\n  private table: ProtectTable<ProtectTableColumn>\n\n  constructor(\n    encryptionClient: EncryptionClient,\n    items: Record<string, EncryptedValue | unknown>[],\n    table: ProtectTable<ProtectTableColumn>,\n    options?: DynamoDBOperationOptions,\n  ) {\n    super(options)\n    this.encryptionClient = encryptionClient\n    this.items = items\n    this.table = table\n  }\n\n  public async execute(): Promise<\n    Result<Decrypted<T>[], EncryptedDynamoDBError>\n  > {\n    return await withResult(\n      async () => {\n        const itemsWithEqlPayloads = this.items.map((item) =>\n          toItemWithEqlPayloads(item, this.table),\n        )\n\n        const decryptResult = await this.encryptionClient\n          .bulkDecryptModels<T>(itemsWithEqlPayloads as T[])\n          .audit(this.getAuditData())\n\n        if (decryptResult.failure) {\n          // Create an Error object that preserves the FFI error code\n          // This is necessary because withResult's ensureError wraps non-Error objects\n          const error = new Error(decryptResult.failure.message) as Error & {\n            code?: string\n          }\n          error.code = decryptResult.failure.code\n          throw error\n        }\n\n        return decryptResult.data\n      },\n      (error) =>\n        handleError(error, 'bulkDecryptModels', {\n          logger: this.logger,\n          errorHandler: this.errorHandler,\n        }),\n    )\n  }\n}\n","import type { ProtectTable, ProtectTableColumn } from '@/schema'\nimport type { EncryptedValue } from '@/types'\nimport type { ProtectErrorCode } from '@cipherstash/protect-ffi'\nimport { ProtectError as FfiProtectError } from '@cipherstash/protect-ffi'\nimport type { EncryptedDynamoDBError } from './types'\n\nexport const ciphertextAttrSuffix = '__source'\nexport const searchTermAttrSuffix = '__hmac'\n\nexport class EncryptedDynamoDBErrorImpl\n  extends Error\n  implements EncryptedDynamoDBError\n{\n  constructor(\n    message: string,\n    public code: ProtectErrorCode | 'DYNAMODB_ENCRYPTION_ERROR',\n    public details?: Record<string, unknown>,\n  ) {\n    super(message)\n    this.name = 'EncryptedDynamoDBError'\n  }\n}\n\nexport function handleError(\n  error: unknown,\n  context: string,\n  options?: {\n    logger?: {\n      error: (message: string, error: Error) => void\n    }\n    errorHandler?: (error: EncryptedDynamoDBError) => void\n  },\n): EncryptedDynamoDBError {\n  // Preserve FFI error code if available, otherwise use generic DynamoDB error code\n  // Check for FfiProtectError instance or plain error objects with code property\n  const errorObj = error as Record<string, unknown>\n  const errorCode =\n    error instanceof FfiProtectError\n      ? error.code\n      : errorObj &&\n          typeof errorObj === 'object' &&\n          'code' in errorObj &&\n          typeof errorObj.code === 'string'\n        ? (errorObj.code as ProtectErrorCode)\n        : 'DYNAMODB_ENCRYPTION_ERROR'\n\n  const errorMessage =\n    error instanceof Error\n      ? error.message\n      : errorObj && typeof errorObj.message === 'string'\n        ? errorObj.message\n        : String(error)\n\n  const dynamoError = new EncryptedDynamoDBErrorImpl(errorMessage, errorCode, {\n    context,\n  })\n\n  if (options?.errorHandler) {\n    options.errorHandler(dynamoError)\n  }\n\n  if (options?.logger) {\n    options.logger.error(`Error in ${context}`, dynamoError)\n  }\n\n  return dynamoError\n}\n\nexport function deepClone<T>(obj: T): T {\n  if (obj === null || typeof obj !== 'object') {\n    return obj\n  }\n\n  if (Array.isArray(obj)) {\n    return obj.map((item) => deepClone(item)) as unknown as T\n  }\n\n  return Object.entries(obj as Record<string, unknown>).reduce(\n    (acc, [key, value]) => ({\n      // biome-ignore lint/performance/noAccumulatingSpread: TODO later\n      ...acc,\n      [key]: deepClone(value),\n    }),\n    {} as T,\n  )\n}\n\nexport function toEncryptedDynamoItem(\n  encrypted: Record<string, unknown>,\n  encryptedAttrs: string[],\n): Record<string, unknown> {\n  function processValue(\n    attrName: string,\n    attrValue: unknown,\n    isNested: boolean,\n  ): Record<string, unknown> {\n    if (attrValue === null || attrValue === undefined) {\n      return { [attrName]: attrValue }\n    }\n\n    // Handle encrypted payload\n    if (\n      encryptedAttrs.includes(attrName) ||\n      (isNested &&\n        typeof attrValue === 'object' &&\n        'c' in (attrValue as object))\n    ) {\n      const encryptPayload = attrValue as EncryptedValue\n      if (encryptPayload?.c) {\n        const result: Record<string, unknown> = {}\n        if (encryptPayload.hm) {\n          result[`${attrName}${searchTermAttrSuffix}`] = encryptPayload.hm\n        }\n        result[`${attrName}${ciphertextAttrSuffix}`] = encryptPayload.c\n        return result\n      }\n\n      if (encryptPayload?.sv) {\n        const result: Record<string, unknown> = {}\n        result[`${attrName}${ciphertextAttrSuffix}`] = encryptPayload.sv\n        return result\n      }\n    }\n\n    // Handle nested objects recursively\n    if (typeof attrValue === 'object' && !Array.isArray(attrValue)) {\n      const nestedResult = Object.entries(\n        attrValue as Record<string, unknown>,\n      ).reduce(\n        (acc, [key, val]) => {\n          const processed = processValue(key, val, true)\n          return Object.assign({}, acc, processed)\n        },\n        {} as Record<string, unknown>,\n      )\n      return { [attrName]: nestedResult }\n    }\n\n    // Handle non-encrypted values\n    return { [attrName]: attrValue }\n  }\n\n  return Object.entries(encrypted).reduce(\n    (putItem, [attrName, attrValue]) => {\n      const processed = processValue(attrName, attrValue, false)\n      return Object.assign({}, putItem, processed)\n    },\n    {} as Record<string, unknown>,\n  )\n}\n\nexport function toItemWithEqlPayloads(\n  decrypted: Record<string, EncryptedValue | unknown>,\n  encryptionSchema: ProtectTable<ProtectTableColumn>,\n): Record<string, unknown> {\n  function processValue(\n    attrName: string,\n    attrValue: unknown,\n    isNested: boolean,\n  ): Record<string, unknown> {\n    if (attrValue === null || attrValue === undefined) {\n      return { [attrName]: attrValue }\n    }\n\n    // Skip HMAC fields\n    if (attrName.endsWith(searchTermAttrSuffix)) {\n      return {}\n    }\n\n    const encryptConfig = encryptionSchema.build()\n    const encryptedAttrs = Object.keys(encryptConfig.columns)\n    const columnName = attrName.slice(0, -ciphertextAttrSuffix.length)\n\n    // Handle encrypted payload\n    if (\n      attrName.endsWith(ciphertextAttrSuffix) &&\n      (encryptedAttrs.includes(columnName) || isNested)\n    ) {\n      const i = { c: columnName, t: encryptConfig.tableName }\n      const v = 2\n\n      // Nested values are not searchable, so we can just return the standard EQL payload.\n      // Worth noting, that encryptConfig.columns[columnName] will be undefined if isNested is true.\n      if (\n        !isNested &&\n        encryptConfig.columns[columnName].cast_as === 'json' &&\n        encryptConfig.columns[columnName].indexes.ste_vec\n      ) {\n        return {\n          [columnName]: {\n            i,\n            v,\n            k: 'sv',\n            sv: attrValue,\n          },\n        }\n      }\n\n      return {\n        [columnName]: {\n          i,\n          v,\n          k: 'ct',\n          c: attrValue,\n        },\n      }\n    }\n\n    // Handle nested objects recursively\n    if (typeof attrValue === 'object' && !Array.isArray(attrValue)) {\n      const nestedResult = Object.entries(\n        attrValue as Record<string, unknown>,\n      ).reduce(\n        (acc, [key, val]) => {\n          const processed = processValue(key, val, true)\n          return Object.assign({}, acc, processed)\n        },\n        {} as Record<string, unknown>,\n      )\n      return { [attrName]: nestedResult }\n    }\n\n    // Handle non-encrypted values\n    return { [attrName]: attrValue }\n  }\n\n  return Object.entries(decrypted).reduce(\n    (formattedItem, [attrName, attrValue]) => {\n      const processed = processValue(attrName, attrValue, false)\n      return Object.assign({}, formattedItem, processed)\n    },\n    {} as Record<string, unknown>,\n  )\n}\n","import type { Result } from '@byteslice/result'\nimport type { EncryptedDynamoDBError } from '../types'\n\nexport type AuditConfig = {\n  metadata?: Record<string, unknown>\n}\n\nexport type AuditData = {\n  metadata?: Record<string, unknown>\n}\n\nexport type DynamoDBOperationOptions = {\n  logger?: {\n    error: (message: string, error: Error) => void\n  }\n  errorHandler?: (error: EncryptedDynamoDBError) => void\n}\n\nexport abstract class DynamoDBOperation<T> {\n  protected auditMetadata?: Record<string, unknown>\n  protected logger?: DynamoDBOperationOptions['logger']\n  protected errorHandler?: DynamoDBOperationOptions['errorHandler']\n\n  constructor(options?: DynamoDBOperationOptions) {\n    this.logger = options?.logger\n    this.errorHandler = options?.errorHandler\n  }\n\n  /**\n   * Attach audit metadata to this operation. Can be chained.\n   */\n  audit(config: AuditConfig): this {\n    this.auditMetadata = config.metadata\n    return this\n  }\n\n  /**\n   * Get the audit metadata for this operation.\n   */\n  protected getAuditData(): AuditData {\n    return {\n      metadata: this.auditMetadata,\n    }\n  }\n\n  /**\n   * Execute the operation and return a Result\n   */\n  abstract execute(): Promise<Result<T, EncryptedDynamoDBError>>\n\n  /**\n   * Make the operation thenable\n   */\n  public then<TResult1 = Result<T, EncryptedDynamoDBError>, TResult2 = never>(\n    onfulfilled?:\n      | ((\n          value: Result<T, EncryptedDynamoDBError>,\n        ) => TResult1 | PromiseLike<TResult1>)\n      | null,\n    onrejected?: ((reason: unknown) => TResult2 | PromiseLike<TResult2>) | null,\n  ): Promise<TResult1 | TResult2> {\n    return this.execute().then(onfulfilled, onrejected)\n  }\n}\n","import type { EncryptionClient } from '@/encryption/ffi'\nimport type { ProtectTable, ProtectTableColumn } from '@/schema'\nimport { type Result, withResult } from '@byteslice/result'\nimport { deepClone, handleError, toEncryptedDynamoItem } from '../helpers'\nimport type { EncryptedDynamoDBError } from '../types'\nimport {\n  DynamoDBOperation,\n  type DynamoDBOperationOptions,\n} from './base-operation'\n\nexport class BulkEncryptModelsOperation<\n  T extends Record<string, unknown>,\n> extends DynamoDBOperation<T[]> {\n  private encryptionClient: EncryptionClient\n  private items: T[]\n  private table: ProtectTable<ProtectTableColumn>\n\n  constructor(\n    encryptionClient: EncryptionClient,\n    items: T[],\n    table: ProtectTable<ProtectTableColumn>,\n    options?: DynamoDBOperationOptions,\n  ) {\n    super(options)\n    this.encryptionClient = encryptionClient\n    this.items = items\n    this.table = table\n  }\n\n  public async execute(): Promise<Result<T[], EncryptedDynamoDBError>> {\n    return await withResult(\n      async () => {\n        const encryptResult = await this.encryptionClient\n          .bulkEncryptModels(\n            this.items.map((item) => deepClone(item)),\n            this.table,\n          )\n          .audit(this.getAuditData())\n\n        if (encryptResult.failure) {\n          // Create an Error object that preserves the FFI error code\n          // This is necessary because withResult's ensureError wraps non-Error objects\n          const error = new Error(encryptResult.failure.message) as Error & {\n            code?: string\n          }\n          error.code = encryptResult.failure.code\n          throw error\n        }\n\n        const data = encryptResult.data.map((item) => deepClone(item))\n        const encryptedAttrs = Object.keys(this.table.build().columns)\n\n        return data.map(\n          (encrypted) => toEncryptedDynamoItem(encrypted, encryptedAttrs) as T,\n        )\n      },\n      (error) =>\n        handleError(error, 'bulkEncryptModels', {\n          logger: this.logger,\n          errorHandler: this.errorHandler,\n        }),\n    )\n  }\n}\n","import type { EncryptionClient } from '@/encryption/ffi'\nimport type { ProtectTable, ProtectTableColumn } from '@/schema'\nimport type { Decrypted, EncryptedValue } from '@/types'\nimport { type Result, withResult } from '@byteslice/result'\nimport { handleError, toItemWithEqlPayloads } from '../helpers'\nimport type { EncryptedDynamoDBError } from '../types'\nimport {\n  DynamoDBOperation,\n  type DynamoDBOperationOptions,\n} from './base-operation'\n\nexport class DecryptModelOperation<\n  T extends Record<string, unknown>,\n> extends DynamoDBOperation<Decrypted<T>> {\n  private encryptionClient: EncryptionClient\n  private item: Record<string, EncryptedValue | unknown>\n  private table: ProtectTable<ProtectTableColumn>\n\n  constructor(\n    encryptionClient: EncryptionClient,\n    item: Record<string, EncryptedValue | unknown>,\n    table: ProtectTable<ProtectTableColumn>,\n    options?: DynamoDBOperationOptions,\n  ) {\n    super(options)\n    this.encryptionClient = encryptionClient\n    this.item = item\n    this.table = table\n  }\n\n  public async execute(): Promise<\n    Result<Decrypted<T>, EncryptedDynamoDBError>\n  > {\n    return await withResult(\n      async () => {\n        const withEqlPayloads = toItemWithEqlPayloads(this.item, this.table)\n\n        const decryptResult = await this.encryptionClient\n          .decryptModel<T>(withEqlPayloads as T)\n          .audit(this.getAuditData())\n\n        if (decryptResult.failure) {\n          // Create an Error object that preserves the FFI error code\n          // This is necessary because withResult's ensureError wraps non-Error objects\n          const error = new Error(decryptResult.failure.message) as Error & {\n            code?: string\n          }\n          error.code = decryptResult.failure.code\n          throw error\n        }\n\n        return decryptResult.data\n      },\n      (error) =>\n        handleError(error, 'decryptModel', {\n          logger: this.logger,\n          errorHandler: this.errorHandler,\n        }),\n    )\n  }\n}\n","import type { EncryptionClient } from '@/encryption/ffi'\nimport type { ProtectTable, ProtectTableColumn } from '@/schema'\nimport { type Result, withResult } from '@byteslice/result'\nimport { deepClone, handleError, toEncryptedDynamoItem } from '../helpers'\nimport type { EncryptedDynamoDBError } from '../types'\nimport {\n  DynamoDBOperation,\n  type DynamoDBOperationOptions,\n} from './base-operation'\n\nexport class EncryptModelOperation<\n  T extends Record<string, unknown>,\n> extends DynamoDBOperation<T> {\n  private encryptionClient: EncryptionClient\n  private item: T\n  private table: ProtectTable<ProtectTableColumn>\n\n  constructor(\n    encryptionClient: EncryptionClient,\n    item: T,\n    table: ProtectTable<ProtectTableColumn>,\n    options?: DynamoDBOperationOptions,\n  ) {\n    super(options)\n    this.encryptionClient = encryptionClient\n    this.item = item\n    this.table = table\n  }\n\n  public async execute(): Promise<Result<T, EncryptedDynamoDBError>> {\n    return await withResult(\n      async () => {\n        const encryptResult = await this.encryptionClient\n          .encryptModel(deepClone(this.item), this.table)\n          .audit(this.getAuditData())\n\n        if (encryptResult.failure) {\n          // Create an Error object that preserves the FFI error code\n          // This is necessary because withResult's ensureError wraps non-Error objects\n          const error = new Error(encryptResult.failure.message) as Error & {\n            code?: string\n          }\n          error.code = encryptResult.failure.code\n          throw error\n        }\n\n        const data = deepClone(encryptResult.data)\n        const encryptedAttrs = Object.keys(this.table.build().columns)\n\n        return toEncryptedDynamoItem(data, encryptedAttrs) as T\n      },\n      (error) =>\n        handleError(error, 'encryptModel', {\n          logger: this.logger,\n          errorHandler: this.errorHandler,\n        }),\n    )\n  }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACGA,oBAAwC;;;ACAxC,yBAAgD;AAGzC,IAAM,uBAAuB;AAC7B,IAAM,uBAAuB;AAE7B,IAAM,6BAAN,cACG,MAEV;AAAA,EACE,YACE,SACO,MACA,SACP;AACA,UAAM,OAAO;AAHN;AACA;AAGP,SAAK,OAAO;AAAA,EACd;AACF;AAEO,SAAS,YACd,OACA,SACA,SAMwB;AAGxB,QAAM,WAAW;AACjB,QAAM,YACJ,iBAAiB,mBAAAA,eACb,MAAM,OACN,YACE,OAAO,aAAa,YACpB,UAAU,YACV,OAAO,SAAS,SAAS,WACxB,SAAS,OACV;AAER,QAAM,eACJ,iBAAiB,QACb,MAAM,UACN,YAAY,OAAO,SAAS,YAAY,WACtC,SAAS,UACT,OAAO,KAAK;AAEpB,QAAM,cAAc,IAAI,2BAA2B,cAAc,WAAW;AAAA,IAC1E;AAAA,EACF,CAAC;AAED,MAAI,SAAS,cAAc;AACzB,YAAQ,aAAa,WAAW;AAAA,EAClC;AAEA,MAAI,SAAS,QAAQ;AACnB,YAAQ,OAAO,MAAM,YAAY,OAAO,IAAI,WAAW;AAAA,EACzD;AAEA,SAAO;AACT;AAEO,SAAS,UAAa,KAAW;AACtC,MAAI,QAAQ,QAAQ,OAAO,QAAQ,UAAU;AAC3C,WAAO;AAAA,EACT;AAEA,MAAI,MAAM,QAAQ,GAAG,GAAG;AACtB,WAAO,IAAI,IAAI,CAAC,SAAS,UAAU,IAAI,CAAC;AAAA,EAC1C;AAEA,SAAO,OAAO,QAAQ,GAA8B,EAAE;AAAA,IACpD,CAAC,KAAK,CAAC,KAAK,KAAK,OAAO;AAAA;AAAA,MAEtB,GAAG;AAAA,MACH,CAAC,GAAG,GAAG,UAAU,KAAK;AAAA,IACxB;AAAA,IACA,CAAC;AAAA,EACH;AACF;AAEO,SAAS,sBACd,WACA,gBACyB;AACzB,WAAS,aACP,UACA,WACA,UACyB;AACzB,QAAI,cAAc,QAAQ,cAAc,QAAW;AACjD,aAAO,EAAE,CAAC,QAAQ,GAAG,UAAU;AAAA,IACjC;AAGA,QACE,eAAe,SAAS,QAAQ,KAC/B,YACC,OAAO,cAAc,YACrB,OAAQ,WACV;AACA,YAAM,iBAAiB;AACvB,UAAI,gBAAgB,GAAG;AACrB,cAAM,SAAkC,CAAC;AACzC,YAAI,eAAe,IAAI;AACrB,iBAAO,GAAG,QAAQ,GAAG,oBAAoB,EAAE,IAAI,eAAe;AAAA,QAChE;AACA,eAAO,GAAG,QAAQ,GAAG,oBAAoB,EAAE,IAAI,eAAe;AAC9D,eAAO;AAAA,MACT;AAEA,UAAI,gBAAgB,IAAI;AACtB,cAAM,SAAkC,CAAC;AACzC,eAAO,GAAG,QAAQ,GAAG,oBAAoB,EAAE,IAAI,eAAe;AAC9D,eAAO;AAAA,MACT;AAAA,IACF;AAGA,QAAI,OAAO,cAAc,YAAY,CAAC,MAAM,QAAQ,SAAS,GAAG;AAC9D,YAAM,eAAe,OAAO;AAAA,QAC1B;AAAA,MACF,EAAE;AAAA,QACA,CAAC,KAAK,CAAC,KAAK,GAAG,MAAM;AACnB,gBAAM,YAAY,aAAa,KAAK,KAAK,IAAI;AAC7C,iBAAO,OAAO,OAAO,CAAC,GAAG,KAAK,SAAS;AAAA,QACzC;AAAA,QACA,CAAC;AAAA,MACH;AACA,aAAO,EAAE,CAAC,QAAQ,GAAG,aAAa;AAAA,IACpC;AAGA,WAAO,EAAE,CAAC,QAAQ,GAAG,UAAU;AAAA,EACjC;AAEA,SAAO,OAAO,QAAQ,SAAS,EAAE;AAAA,IAC/B,CAAC,SAAS,CAAC,UAAU,SAAS,MAAM;AAClC,YAAM,YAAY,aAAa,UAAU,WAAW,KAAK;AACzD,aAAO,OAAO,OAAO,CAAC,GAAG,SAAS,SAAS;AAAA,IAC7C;AAAA,IACA,CAAC;AAAA,EACH;AACF;AAEO,SAAS,sBACd,WACA,kBACyB;AACzB,WAAS,aACP,UACA,WACA,UACyB;AACzB,QAAI,cAAc,QAAQ,cAAc,QAAW;AACjD,aAAO,EAAE,CAAC,QAAQ,GAAG,UAAU;AAAA,IACjC;AAGA,QAAI,SAAS,SAAS,oBAAoB,GAAG;AAC3C,aAAO,CAAC;AAAA,IACV;AAEA,UAAM,gBAAgB,iBAAiB,MAAM;AAC7C,UAAM,iBAAiB,OAAO,KAAK,cAAc,OAAO;AACxD,UAAM,aAAa,SAAS,MAAM,GAAG,CAAC,qBAAqB,MAAM;AAGjE,QACE,SAAS,SAAS,oBAAoB,MACrC,eAAe,SAAS,UAAU,KAAK,WACxC;AACA,YAAM,IAAI,EAAE,GAAG,YAAY,GAAG,cAAc,UAAU;AACtD,YAAM,IAAI;AAIV,UACE,CAAC,YACD,cAAc,QAAQ,UAAU,EAAE,YAAY,UAC9C,cAAc,QAAQ,UAAU,EAAE,QAAQ,SAC1C;AACA,eAAO;AAAA,UACL,CAAC,UAAU,GAAG;AAAA,YACZ;AAAA,YACA;AAAA,YACA,GAAG;AAAA,YACH,IAAI;AAAA,UACN;AAAA,QACF;AAAA,MACF;AAEA,aAAO;AAAA,QACL,CAAC,UAAU,GAAG;AAAA,UACZ;AAAA,UACA;AAAA,UACA,GAAG;AAAA,UACH,GAAG;AAAA,QACL;AAAA,MACF;AAAA,IACF;AAGA,QAAI,OAAO,cAAc,YAAY,CAAC,MAAM,QAAQ,SAAS,GAAG;AAC9D,YAAM,eAAe,OAAO;AAAA,QAC1B;AAAA,MACF,EAAE;AAAA,QACA,CAAC,KAAK,CAAC,KAAK,GAAG,MAAM;AACnB,gBAAM,YAAY,aAAa,KAAK,KAAK,IAAI;AAC7C,iBAAO,OAAO,OAAO,CAAC,GAAG,KAAK,SAAS;AAAA,QACzC;AAAA,QACA,CAAC;AAAA,MACH;AACA,aAAO,EAAE,CAAC,QAAQ,GAAG,aAAa;AAAA,IACpC;AAGA,WAAO,EAAE,CAAC,QAAQ,GAAG,UAAU;AAAA,EACjC;AAEA,SAAO,OAAO,QAAQ,SAAS,EAAE;AAAA,IAC/B,CAAC,eAAe,CAAC,UAAU,SAAS,MAAM;AACxC,YAAM,YAAY,aAAa,UAAU,WAAW,KAAK;AACzD,aAAO,OAAO,OAAO,CAAC,GAAG,eAAe,SAAS;AAAA,IACnD;AAAA,IACA,CAAC;AAAA,EACH;AACF;;;ACvNO,IAAe,oBAAf,MAAoC;AAAA,EAC/B;AAAA,EACA;AAAA,EACA;AAAA,EAEV,YAAY,SAAoC;AAC9C,SAAK,SAAS,SAAS;AACvB,SAAK,eAAe,SAAS;AAAA,EAC/B;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,QAA2B;AAC/B,SAAK,gBAAgB,OAAO;AAC5B,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKU,eAA0B;AAClC,WAAO;AAAA,MACL,UAAU,KAAK;AAAA,IACjB;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAUO,KACL,aAKA,YAC8B;AAC9B,WAAO,KAAK,QAAQ,EAAE,KAAK,aAAa,UAAU;AAAA,EACpD;AACF;;;AFpDO,IAAM,6BAAN,cAEG,kBAAkC;AAAA,EAClC;AAAA,EACA;AAAA,EACA;AAAA,EAER,YACE,kBACA,OACA,OACA,SACA;AACA,UAAM,OAAO;AACb,SAAK,mBAAmB;AACxB,SAAK,QAAQ;AACb,SAAK,QAAQ;AAAA,EACf;AAAA,EAEA,MAAa,UAEX;AACA,WAAO,UAAM;AAAA,MACX,YAAY;AACV,cAAM,uBAAuB,KAAK,MAAM;AAAA,UAAI,CAAC,SAC3C,sBAAsB,MAAM,KAAK,KAAK;AAAA,QACxC;AAEA,cAAM,gBAAgB,MAAM,KAAK,iBAC9B,kBAAqB,oBAA2B,EAChD,MAAM,KAAK,aAAa,CAAC;AAE5B,YAAI,cAAc,SAAS;AAGzB,gBAAM,QAAQ,IAAI,MAAM,cAAc,QAAQ,OAAO;AAGrD,gBAAM,OAAO,cAAc,QAAQ;AACnC,gBAAM;AAAA,QACR;AAEA,eAAO,cAAc;AAAA,MACvB;AAAA,MACA,CAAC,UACC,YAAY,OAAO,qBAAqB;AAAA,QACtC,QAAQ,KAAK;AAAA,QACb,cAAc,KAAK;AAAA,MACrB,CAAC;AAAA,IACL;AAAA,EACF;AACF;;;AG5DA,IAAAC,iBAAwC;AAQjC,IAAM,6BAAN,cAEG,kBAAuB;AAAA,EACvB;AAAA,EACA;AAAA,EACA;AAAA,EAER,YACE,kBACA,OACA,OACA,SACA;AACA,UAAM,OAAO;AACb,SAAK,mBAAmB;AACxB,SAAK,QAAQ;AACb,SAAK,QAAQ;AAAA,EACf;AAAA,EAEA,MAAa,UAAwD;AACnE,WAAO,UAAM;AAAA,MACX,YAAY;AACV,cAAM,gBAAgB,MAAM,KAAK,iBAC9B;AAAA,UACC,KAAK,MAAM,IAAI,CAAC,SAAS,UAAU,IAAI,CAAC;AAAA,UACxC,KAAK;AAAA,QACP,EACC,MAAM,KAAK,aAAa,CAAC;AAE5B,YAAI,cAAc,SAAS;AAGzB,gBAAM,QAAQ,IAAI,MAAM,cAAc,QAAQ,OAAO;AAGrD,gBAAM,OAAO,cAAc,QAAQ;AACnC,gBAAM;AAAA,QACR;AAEA,cAAM,OAAO,cAAc,KAAK,IAAI,CAAC,SAAS,UAAU,IAAI,CAAC;AAC7D,cAAM,iBAAiB,OAAO,KAAK,KAAK,MAAM,MAAM,EAAE,OAAO;AAE7D,eAAO,KAAK;AAAA,UACV,CAAC,cAAc,sBAAsB,WAAW,cAAc;AAAA,QAChE;AAAA,MACF;AAAA,MACA,CAAC,UACC,YAAY,OAAO,qBAAqB;AAAA,QACtC,QAAQ,KAAK;AAAA,QACb,cAAc,KAAK;AAAA,MACrB,CAAC;AAAA,IACL;AAAA,EACF;AACF;;;AC5DA,IAAAC,iBAAwC;AAQjC,IAAM,wBAAN,cAEG,kBAAgC;AAAA,EAChC;AAAA,EACA;AAAA,EACA;AAAA,EAER,YACE,kBACA,MACA,OACA,SACA;AACA,UAAM,OAAO;AACb,SAAK,mBAAmB;AACxB,SAAK,OAAO;AACZ,SAAK,QAAQ;AAAA,EACf;AAAA,EAEA,MAAa,UAEX;AACA,WAAO,UAAM;AAAA,MACX,YAAY;AACV,cAAM,kBAAkB,sBAAsB,KAAK,MAAM,KAAK,KAAK;AAEnE,cAAM,gBAAgB,MAAM,KAAK,iBAC9B,aAAgB,eAAoB,EACpC,MAAM,KAAK,aAAa,CAAC;AAE5B,YAAI,cAAc,SAAS;AAGzB,gBAAM,QAAQ,IAAI,MAAM,cAAc,QAAQ,OAAO;AAGrD,gBAAM,OAAO,cAAc,QAAQ;AACnC,gBAAM;AAAA,QACR;AAEA,eAAO,cAAc;AAAA,MACvB;AAAA,MACA,CAAC,UACC,YAAY,OAAO,gBAAgB;AAAA,QACjC,QAAQ,KAAK;AAAA,QACb,cAAc,KAAK;AAAA,MACrB,CAAC;AAAA,IACL;AAAA,EACF;AACF;;;AC1DA,IAAAC,iBAAwC;AAQjC,IAAM,wBAAN,cAEG,kBAAqB;AAAA,EACrB;AAAA,EACA;AAAA,EACA;AAAA,EAER,YACE,kBACA,MACA,OACA,SACA;AACA,UAAM,OAAO;AACb,SAAK,mBAAmB;AACxB,SAAK,OAAO;AACZ,SAAK,QAAQ;AAAA,EACf;AAAA,EAEA,MAAa,UAAsD;AACjE,WAAO,UAAM;AAAA,MACX,YAAY;AACV,cAAM,gBAAgB,MAAM,KAAK,iBAC9B,aAAa,UAAU,KAAK,IAAI,GAAG,KAAK,KAAK,EAC7C,MAAM,KAAK,aAAa,CAAC;AAE5B,YAAI,cAAc,SAAS;AAGzB,gBAAM,QAAQ,IAAI,MAAM,cAAc,QAAQ,OAAO;AAGrD,gBAAM,OAAO,cAAc,QAAQ;AACnC,gBAAM;AAAA,QACR;AAEA,cAAM,OAAO,UAAU,cAAc,IAAI;AACzC,cAAM,iBAAiB,OAAO,KAAK,KAAK,MAAM,MAAM,EAAE,OAAO;AAE7D,eAAO,sBAAsB,MAAM,cAAc;AAAA,MACnD;AAAA,MACA,CAAC,UACC,YAAY,OAAO,gBAAgB;AAAA,QACjC,QAAQ,KAAK;AAAA,QACb,cAAc,KAAK;AAAA,MACrB,CAAC;AAAA,IACL;AAAA,EACF;AACF;;;ANpBO,SAAS,kBACd,QAC2B;AAC3B,QAAM,EAAE,kBAAkB,QAAQ,IAAI;AAEtC,SAAO;AAAA,IACL,aACE,MACA,OACA;AACA,aAAO,IAAI;AAAA,QACT;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF;AAAA,IACF;AAAA,IAEA,kBACE,OACA,OACA;AACA,aAAO,IAAI;AAAA,QACT;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF;AAAA,IACF;AAAA,IAEA,aACE,MACA,OACA;AACA,aAAO,IAAI;AAAA,QACT;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF;AAAA,IACF;AAAA,IAEA,kBACE,OACA,OACA;AACA,aAAO,IAAI;AAAA,QACT;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF;AAAA,IACF;AAAA,EACF;AACF;","names":["FfiProtectError","import_result","import_result","import_result"]}

package/dist/dynamodb/index.d.cts

@@ -0,0 +1,125 @@
+import { E as EncryptionClient } from '../client-BxJG56Ey.cjs';
+import { D as Decrypted, i as EncryptedValue, d as ProtectTable, f as ProtectTableColumn } from '../types-public-BCj1L4fi.cjs';
+import { ProtectErrorCode } from '@cipherstash/protect-ffi';
+import { Result } from '@byteslice/result';
+import '../index-9-Ya3fDK.cjs';
+import 'zod';
+import 'evlog';
+
+type AuditConfig = {
+    metadata?: Record<string, unknown>;
+};
+type AuditData = {
+    metadata?: Record<string, unknown>;
+};
+type DynamoDBOperationOptions = {
+    logger?: {
+        error: (message: string, error: Error) => void;
+    };
+    errorHandler?: (error: EncryptedDynamoDBError) => void;
+};
+declare abstract class DynamoDBOperation<T> {
+    protected auditMetadata?: Record<string, unknown>;
+    protected logger?: DynamoDBOperationOptions['logger'];
+    protected errorHandler?: DynamoDBOperationOptions['errorHandler'];
+    constructor(options?: DynamoDBOperationOptions);
+    /**
+     * Attach audit metadata to this operation. Can be chained.
+     */
+    audit(config: AuditConfig): this;
+    /**
+     * Get the audit metadata for this operation.
+     */
+    protected getAuditData(): AuditData;
+    /**
+     * Execute the operation and return a Result
+     */
+    abstract execute(): Promise<Result<T, EncryptedDynamoDBError>>;
+    /**
+     * Make the operation thenable
+     */
+    then<TResult1 = Result<T, EncryptedDynamoDBError>, TResult2 = never>(onfulfilled?: ((value: Result<T, EncryptedDynamoDBError>) => TResult1 | PromiseLike<TResult1>) | null, onrejected?: ((reason: unknown) => TResult2 | PromiseLike<TResult2>) | null): Promise<TResult1 | TResult2>;
+}
+
+declare class BulkDecryptModelsOperation<T extends Record<string, unknown>> extends DynamoDBOperation<Decrypted<T>[]> {
+    private encryptionClient;
+    private items;
+    private table;
+    constructor(encryptionClient: EncryptionClient, items: Record<string, EncryptedValue | unknown>[], table: ProtectTable<ProtectTableColumn>, options?: DynamoDBOperationOptions);
+    execute(): Promise<Result<Decrypted<T>[], EncryptedDynamoDBError>>;
+}
+
+declare class BulkEncryptModelsOperation<T extends Record<string, unknown>> extends DynamoDBOperation<T[]> {
+    private encryptionClient;
+    private items;
+    private table;
+    constructor(encryptionClient: EncryptionClient, items: T[], table: ProtectTable<ProtectTableColumn>, options?: DynamoDBOperationOptions);
+    execute(): Promise<Result<T[], EncryptedDynamoDBError>>;
+}
+
+declare class DecryptModelOperation<T extends Record<string, unknown>> extends DynamoDBOperation<Decrypted<T>> {
+    private encryptionClient;
+    private item;
+    private table;
+    constructor(encryptionClient: EncryptionClient, item: Record<string, EncryptedValue | unknown>, table: ProtectTable<ProtectTableColumn>, options?: DynamoDBOperationOptions);
+    execute(): Promise<Result<Decrypted<T>, EncryptedDynamoDBError>>;
+}
+
+declare class EncryptModelOperation<T extends Record<string, unknown>> extends DynamoDBOperation<T> {
+    private encryptionClient;
+    private item;
+    private table;
+    constructor(encryptionClient: EncryptionClient, item: T, table: ProtectTable<ProtectTableColumn>, options?: DynamoDBOperationOptions);
+    execute(): Promise<Result<T, EncryptedDynamoDBError>>;
+}
+
+interface EncryptedDynamoDBConfig {
+    encryptionClient: EncryptionClient;
+    options?: {
+        logger?: {
+            error: (message: string, error: Error) => void;
+        };
+        errorHandler?: (error: EncryptedDynamoDBError) => void;
+    };
+}
+interface EncryptedDynamoDBError extends Error {
+    code: ProtectErrorCode | 'DYNAMODB_ENCRYPTION_ERROR';
+    details?: Record<string, unknown>;
+}
+interface EncryptedDynamoDBInstance {
+    encryptModel<T extends Record<string, unknown>>(item: T, table: ProtectTable<ProtectTableColumn>): EncryptModelOperation<T>;
+    bulkEncryptModels<T extends Record<string, unknown>>(items: T[], table: ProtectTable<ProtectTableColumn>): BulkEncryptModelsOperation<T>;
+    decryptModel<T extends Record<string, unknown>>(item: Record<string, EncryptedValue | unknown>, table: ProtectTable<ProtectTableColumn>): DecryptModelOperation<T>;
+    bulkDecryptModels<T extends Record<string, unknown>>(items: Record<string, EncryptedValue | unknown>[], table: ProtectTable<ProtectTableColumn>): BulkDecryptModelsOperation<T>;
+}
+
+/**
+ * Create an encrypted DynamoDB helper bound to an `EncryptionClient`.
+ *
+ * Returns an object with `encryptModel`, `decryptModel`, `bulkEncryptModels`,
+ * and `bulkDecryptModels` methods that transparently encrypt/decrypt DynamoDB
+ * items according to the provided table schema.
+ *
+ * @param config - Configuration containing the `encryptionClient` and optional
+ *   logging / error-handling callbacks.
+ * @returns An {@link EncryptedDynamoDBInstance} with encrypt/decrypt operations.
+ *
+ * @example
+ * ```typescript
+ * import { Encryption } from "@cipherstash/stack"
+ * import { encryptedDynamoDB } from "@cipherstash/stack/dynamodb"
+ * import { encryptedTable, encryptedColumn } from "@cipherstash/stack/schema"
+ *
+ * const users = encryptedTable("users", {
+ *   email: encryptedColumn("email").equality(),
+ * })
+ *
+ * const client = await Encryption({ schemas: [users] })
+ * const dynamo = encryptedDynamoDB({ encryptionClient: client })
+ *
+ * const encrypted = await dynamo.encryptModel({ email: "a@b.com" }, users)
+ * ```
+ */
+declare function encryptedDynamoDB(config: EncryptedDynamoDBConfig): EncryptedDynamoDBInstance;
+
+export { type EncryptedDynamoDBConfig, type EncryptedDynamoDBError, type EncryptedDynamoDBInstance, encryptedDynamoDB };

package/dist/dynamodb/index.d.ts

@@ -0,0 +1,125 @@
+import { E as EncryptionClient } from '../client-DtGq9dJp.js';
+import { D as Decrypted, i as EncryptedValue, d as ProtectTable, f as ProtectTableColumn } from '../types-public-BCj1L4fi.js';
+import { ProtectErrorCode } from '@cipherstash/protect-ffi';
+import { Result } from '@byteslice/result';
+import '../index-9-Ya3fDK.js';
+import 'zod';
+import 'evlog';
+
+type AuditConfig = {
+    metadata?: Record<string, unknown>;
+};
+type AuditData = {
+    metadata?: Record<string, unknown>;
+};
+type DynamoDBOperationOptions = {
+    logger?: {
+        error: (message: string, error: Error) => void;
+    };
+    errorHandler?: (error: EncryptedDynamoDBError) => void;
+};
+declare abstract class DynamoDBOperation<T> {
+    protected auditMetadata?: Record<string, unknown>;
+    protected logger?: DynamoDBOperationOptions['logger'];
+    protected errorHandler?: DynamoDBOperationOptions['errorHandler'];
+    constructor(options?: DynamoDBOperationOptions);
+    /**
+     * Attach audit metadata to this operation. Can be chained.
+     */
+    audit(config: AuditConfig): this;
+    /**
+     * Get the audit metadata for this operation.
+     */
+    protected getAuditData(): AuditData;
+    /**
+     * Execute the operation and return a Result
+     */
+    abstract execute(): Promise<Result<T, EncryptedDynamoDBError>>;
+    /**
+     * Make the operation thenable
+     */
+    then<TResult1 = Result<T, EncryptedDynamoDBError>, TResult2 = never>(onfulfilled?: ((value: Result<T, EncryptedDynamoDBError>) => TResult1 | PromiseLike<TResult1>) | null, onrejected?: ((reason: unknown) => TResult2 | PromiseLike<TResult2>) | null): Promise<TResult1 | TResult2>;
+}
+
+declare class BulkDecryptModelsOperation<T extends Record<string, unknown>> extends DynamoDBOperation<Decrypted<T>[]> {
+    private encryptionClient;
+    private items;
+    private table;
+    constructor(encryptionClient: EncryptionClient, items: Record<string, EncryptedValue | unknown>[], table: ProtectTable<ProtectTableColumn>, options?: DynamoDBOperationOptions);
+    execute(): Promise<Result<Decrypted<T>[], EncryptedDynamoDBError>>;
+}
+
+declare class BulkEncryptModelsOperation<T extends Record<string, unknown>> extends DynamoDBOperation<T[]> {
+    private encryptionClient;
+    private items;
+    private table;
+    constructor(encryptionClient: EncryptionClient, items: T[], table: ProtectTable<ProtectTableColumn>, options?: DynamoDBOperationOptions);
+    execute(): Promise<Result<T[], EncryptedDynamoDBError>>;
+}
+
+declare class DecryptModelOperation<T extends Record<string, unknown>> extends DynamoDBOperation<Decrypted<T>> {
+    private encryptionClient;
+    private item;
+    private table;
+    constructor(encryptionClient: EncryptionClient, item: Record<string, EncryptedValue | unknown>, table: ProtectTable<ProtectTableColumn>, options?: DynamoDBOperationOptions);
+    execute(): Promise<Result<Decrypted<T>, EncryptedDynamoDBError>>;
+}
+
+declare class EncryptModelOperation<T extends Record<string, unknown>> extends DynamoDBOperation<T> {
+    private encryptionClient;
+    private item;
+    private table;
+    constructor(encryptionClient: EncryptionClient, item: T, table: ProtectTable<ProtectTableColumn>, options?: DynamoDBOperationOptions);
+    execute(): Promise<Result<T, EncryptedDynamoDBError>>;
+}
+
+interface EncryptedDynamoDBConfig {
+    encryptionClient: EncryptionClient;
+    options?: {
+        logger?: {
+            error: (message: string, error: Error) => void;
+        };
+        errorHandler?: (error: EncryptedDynamoDBError) => void;
+    };
+}
+interface EncryptedDynamoDBError extends Error {
+    code: ProtectErrorCode | 'DYNAMODB_ENCRYPTION_ERROR';
+    details?: Record<string, unknown>;
+}
+interface EncryptedDynamoDBInstance {
+    encryptModel<T extends Record<string, unknown>>(item: T, table: ProtectTable<ProtectTableColumn>): EncryptModelOperation<T>;
+    bulkEncryptModels<T extends Record<string, unknown>>(items: T[], table: ProtectTable<ProtectTableColumn>): BulkEncryptModelsOperation<T>;
+    decryptModel<T extends Record<string, unknown>>(item: Record<string, EncryptedValue | unknown>, table: ProtectTable<ProtectTableColumn>): DecryptModelOperation<T>;
+    bulkDecryptModels<T extends Record<string, unknown>>(items: Record<string, EncryptedValue | unknown>[], table: ProtectTable<ProtectTableColumn>): BulkDecryptModelsOperation<T>;
+}
+
+/**
+ * Create an encrypted DynamoDB helper bound to an `EncryptionClient`.
+ *
+ * Returns an object with `encryptModel`, `decryptModel`, `bulkEncryptModels`,
+ * and `bulkDecryptModels` methods that transparently encrypt/decrypt DynamoDB
+ * items according to the provided table schema.
+ *
+ * @param config - Configuration containing the `encryptionClient` and optional
+ *   logging / error-handling callbacks.
+ * @returns An {@link EncryptedDynamoDBInstance} with encrypt/decrypt operations.
+ *
+ * @example
+ * ```typescript
+ * import { Encryption } from "@cipherstash/stack"
+ * import { encryptedDynamoDB } from "@cipherstash/stack/dynamodb"
+ * import { encryptedTable, encryptedColumn } from "@cipherstash/stack/schema"
+ *
+ * const users = encryptedTable("users", {
+ *   email: encryptedColumn("email").equality(),
+ * })
+ *
+ * const client = await Encryption({ schemas: [users] })
+ * const dynamo = encryptedDynamoDB({ encryptionClient: client })
+ *
+ * const encrypted = await dynamo.encryptModel({ email: "a@b.com" }, users)
+ * ```
+ */
+declare function encryptedDynamoDB(config: EncryptedDynamoDBConfig): EncryptedDynamoDBInstance;
+
+export { type EncryptedDynamoDBConfig, type EncryptedDynamoDBError, type EncryptedDynamoDBInstance, encryptedDynamoDB };

package/dist/dynamodb/index.js

@@ -0,0 +1,355 @@
+// src/dynamodb/operations/bulk-decrypt-models.ts
+import { withResult } from "@byteslice/result";
+
+// src/dynamodb/helpers.ts
+import { ProtectError as FfiProtectError } from "@cipherstash/protect-ffi";
+var ciphertextAttrSuffix = "__source";
+var searchTermAttrSuffix = "__hmac";
+var EncryptedDynamoDBErrorImpl = class extends Error {
+  constructor(message, code, details) {
+    super(message);
+    this.code = code;
+    this.details = details;
+    this.name = "EncryptedDynamoDBError";
+  }
+};
+function handleError(error, context, options) {
+  const errorObj = error;
+  const errorCode = error instanceof FfiProtectError ? error.code : errorObj && typeof errorObj === "object" && "code" in errorObj && typeof errorObj.code === "string" ? errorObj.code : "DYNAMODB_ENCRYPTION_ERROR";
+  const errorMessage = error instanceof Error ? error.message : errorObj && typeof errorObj.message === "string" ? errorObj.message : String(error);
+  const dynamoError = new EncryptedDynamoDBErrorImpl(errorMessage, errorCode, {
+    context
+  });
+  if (options?.errorHandler) {
+    options.errorHandler(dynamoError);
+  }
+  if (options?.logger) {
+    options.logger.error(`Error in ${context}`, dynamoError);
+  }
+  return dynamoError;
+}
+function deepClone(obj) {
+  if (obj === null || typeof obj !== "object") {
+    return obj;
+  }
+  if (Array.isArray(obj)) {
+    return obj.map((item) => deepClone(item));
+  }
+  return Object.entries(obj).reduce(
+    (acc, [key, value]) => ({
+      // biome-ignore lint/performance/noAccumulatingSpread: TODO later
+      ...acc,
+      [key]: deepClone(value)
+    }),
+    {}
+  );
+}
+function toEncryptedDynamoItem(encrypted, encryptedAttrs) {
+  function processValue(attrName, attrValue, isNested) {
+    if (attrValue === null || attrValue === void 0) {
+      return { [attrName]: attrValue };
+    }
+    if (encryptedAttrs.includes(attrName) || isNested && typeof attrValue === "object" && "c" in attrValue) {
+      const encryptPayload = attrValue;
+      if (encryptPayload?.c) {
+        const result = {};
+        if (encryptPayload.hm) {
+          result[`${attrName}${searchTermAttrSuffix}`] = encryptPayload.hm;
+        }
+        result[`${attrName}${ciphertextAttrSuffix}`] = encryptPayload.c;
+        return result;
+      }
+      if (encryptPayload?.sv) {
+        const result = {};
+        result[`${attrName}${ciphertextAttrSuffix}`] = encryptPayload.sv;
+        return result;
+      }
+    }
+    if (typeof attrValue === "object" && !Array.isArray(attrValue)) {
+      const nestedResult = Object.entries(
+        attrValue
+      ).reduce(
+        (acc, [key, val]) => {
+          const processed = processValue(key, val, true);
+          return Object.assign({}, acc, processed);
+        },
+        {}
+      );
+      return { [attrName]: nestedResult };
+    }
+    return { [attrName]: attrValue };
+  }
+  return Object.entries(encrypted).reduce(
+    (putItem, [attrName, attrValue]) => {
+      const processed = processValue(attrName, attrValue, false);
+      return Object.assign({}, putItem, processed);
+    },
+    {}
+  );
+}
+function toItemWithEqlPayloads(decrypted, encryptionSchema) {
+  function processValue(attrName, attrValue, isNested) {
+    if (attrValue === null || attrValue === void 0) {
+      return { [attrName]: attrValue };
+    }
+    if (attrName.endsWith(searchTermAttrSuffix)) {
+      return {};
+    }
+    const encryptConfig = encryptionSchema.build();
+    const encryptedAttrs = Object.keys(encryptConfig.columns);
+    const columnName = attrName.slice(0, -ciphertextAttrSuffix.length);
+    if (attrName.endsWith(ciphertextAttrSuffix) && (encryptedAttrs.includes(columnName) || isNested)) {
+      const i = { c: columnName, t: encryptConfig.tableName };
+      const v = 2;
+      if (!isNested && encryptConfig.columns[columnName].cast_as === "json" && encryptConfig.columns[columnName].indexes.ste_vec) {
+        return {
+          [columnName]: {
+            i,
+            v,
+            k: "sv",
+            sv: attrValue
+          }
+        };
+      }
+      return {
+        [columnName]: {
+          i,
+          v,
+          k: "ct",
+          c: attrValue
+        }
+      };
+    }
+    if (typeof attrValue === "object" && !Array.isArray(attrValue)) {
+      const nestedResult = Object.entries(
+        attrValue
+      ).reduce(
+        (acc, [key, val]) => {
+          const processed = processValue(key, val, true);
+          return Object.assign({}, acc, processed);
+        },
+        {}
+      );
+      return { [attrName]: nestedResult };
+    }
+    return { [attrName]: attrValue };
+  }
+  return Object.entries(decrypted).reduce(
+    (formattedItem, [attrName, attrValue]) => {
+      const processed = processValue(attrName, attrValue, false);
+      return Object.assign({}, formattedItem, processed);
+    },
+    {}
+  );
+}
+
+// src/dynamodb/operations/base-operation.ts
+var DynamoDBOperation = class {
+  auditMetadata;
+  logger;
+  errorHandler;
+  constructor(options) {
+    this.logger = options?.logger;
+    this.errorHandler = options?.errorHandler;
+  }
+  /**
+   * Attach audit metadata to this operation. Can be chained.
+   */
+  audit(config) {
+    this.auditMetadata = config.metadata;
+    return this;
+  }
+  /**
+   * Get the audit metadata for this operation.
+   */
+  getAuditData() {
+    return {
+      metadata: this.auditMetadata
+    };
+  }
+  /**
+   * Make the operation thenable
+   */
+  then(onfulfilled, onrejected) {
+    return this.execute().then(onfulfilled, onrejected);
+  }
+};
+
+// src/dynamodb/operations/bulk-decrypt-models.ts
+var BulkDecryptModelsOperation = class extends DynamoDBOperation {
+  encryptionClient;
+  items;
+  table;
+  constructor(encryptionClient, items, table, options) {
+    super(options);
+    this.encryptionClient = encryptionClient;
+    this.items = items;
+    this.table = table;
+  }
+  async execute() {
+    return await withResult(
+      async () => {
+        const itemsWithEqlPayloads = this.items.map(
+          (item) => toItemWithEqlPayloads(item, this.table)
+        );
+        const decryptResult = await this.encryptionClient.bulkDecryptModels(itemsWithEqlPayloads).audit(this.getAuditData());
+        if (decryptResult.failure) {
+          const error = new Error(decryptResult.failure.message);
+          error.code = decryptResult.failure.code;
+          throw error;
+        }
+        return decryptResult.data;
+      },
+      (error) => handleError(error, "bulkDecryptModels", {
+        logger: this.logger,
+        errorHandler: this.errorHandler
+      })
+    );
+  }
+};
+
+// src/dynamodb/operations/bulk-encrypt-models.ts
+import { withResult as withResult2 } from "@byteslice/result";
+var BulkEncryptModelsOperation = class extends DynamoDBOperation {
+  encryptionClient;
+  items;
+  table;
+  constructor(encryptionClient, items, table, options) {
+    super(options);
+    this.encryptionClient = encryptionClient;
+    this.items = items;
+    this.table = table;
+  }
+  async execute() {
+    return await withResult2(
+      async () => {
+        const encryptResult = await this.encryptionClient.bulkEncryptModels(
+          this.items.map((item) => deepClone(item)),
+          this.table
+        ).audit(this.getAuditData());
+        if (encryptResult.failure) {
+          const error = new Error(encryptResult.failure.message);
+          error.code = encryptResult.failure.code;
+          throw error;
+        }
+        const data = encryptResult.data.map((item) => deepClone(item));
+        const encryptedAttrs = Object.keys(this.table.build().columns);
+        return data.map(
+          (encrypted) => toEncryptedDynamoItem(encrypted, encryptedAttrs)
+        );
+      },
+      (error) => handleError(error, "bulkEncryptModels", {
+        logger: this.logger,
+        errorHandler: this.errorHandler
+      })
+    );
+  }
+};
+
+// src/dynamodb/operations/decrypt-model.ts
+import { withResult as withResult3 } from "@byteslice/result";
+var DecryptModelOperation = class extends DynamoDBOperation {
+  encryptionClient;
+  item;
+  table;
+  constructor(encryptionClient, item, table, options) {
+    super(options);
+    this.encryptionClient = encryptionClient;
+    this.item = item;
+    this.table = table;
+  }
+  async execute() {
+    return await withResult3(
+      async () => {
+        const withEqlPayloads = toItemWithEqlPayloads(this.item, this.table);
+        const decryptResult = await this.encryptionClient.decryptModel(withEqlPayloads).audit(this.getAuditData());
+        if (decryptResult.failure) {
+          const error = new Error(decryptResult.failure.message);
+          error.code = decryptResult.failure.code;
+          throw error;
+        }
+        return decryptResult.data;
+      },
+      (error) => handleError(error, "decryptModel", {
+        logger: this.logger,
+        errorHandler: this.errorHandler
+      })
+    );
+  }
+};
+
+// src/dynamodb/operations/encrypt-model.ts
+import { withResult as withResult4 } from "@byteslice/result";
+var EncryptModelOperation = class extends DynamoDBOperation {
+  encryptionClient;
+  item;
+  table;
+  constructor(encryptionClient, item, table, options) {
+    super(options);
+    this.encryptionClient = encryptionClient;
+    this.item = item;
+    this.table = table;
+  }
+  async execute() {
+    return await withResult4(
+      async () => {
+        const encryptResult = await this.encryptionClient.encryptModel(deepClone(this.item), this.table).audit(this.getAuditData());
+        if (encryptResult.failure) {
+          const error = new Error(encryptResult.failure.message);
+          error.code = encryptResult.failure.code;
+          throw error;
+        }
+        const data = deepClone(encryptResult.data);
+        const encryptedAttrs = Object.keys(this.table.build().columns);
+        return toEncryptedDynamoItem(data, encryptedAttrs);
+      },
+      (error) => handleError(error, "encryptModel", {
+        logger: this.logger,
+        errorHandler: this.errorHandler
+      })
+    );
+  }
+};
+
+// src/dynamodb/index.ts
+function encryptedDynamoDB(config) {
+  const { encryptionClient, options } = config;
+  return {
+    encryptModel(item, table) {
+      return new EncryptModelOperation(
+        encryptionClient,
+        item,
+        table,
+        options
+      );
+    },
+    bulkEncryptModels(items, table) {
+      return new BulkEncryptModelsOperation(
+        encryptionClient,
+        items,
+        table,
+        options
+      );
+    },
+    decryptModel(item, table) {
+      return new DecryptModelOperation(
+        encryptionClient,
+        item,
+        table,
+        options
+      );
+    },
+    bulkDecryptModels(items, table) {
+      return new BulkDecryptModelsOperation(
+        encryptionClient,
+        items,
+        table,
+        options
+      );
+    }
+  };
+}
+export {
+  encryptedDynamoDB
+};
+//# sourceMappingURL=index.js.map