@cipherstash/stack 0.1.0

package/dist/dynamodb/index.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/dynamodb/operations/bulk-decrypt-models.ts","../../src/dynamodb/helpers.ts","../../src/dynamodb/operations/base-operation.ts","../../src/dynamodb/operations/bulk-encrypt-models.ts","../../src/dynamodb/operations/decrypt-model.ts","../../src/dynamodb/operations/encrypt-model.ts","../../src/dynamodb/index.ts"],"sourcesContent":["import type { EncryptionClient } from '@/encryption/ffi'\nimport type { ProtectTable, ProtectTableColumn } from '@/schema'\nimport type { Decrypted, EncryptedValue } from '@/types'\nimport { type Result, withResult } from '@byteslice/result'\nimport { handleError, toItemWithEqlPayloads } from '../helpers'\nimport type { EncryptedDynamoDBError } from '../types'\nimport {\n  DynamoDBOperation,\n  type DynamoDBOperationOptions,\n} from './base-operation'\n\nexport class BulkDecryptModelsOperation<\n  T extends Record<string, unknown>,\n> extends DynamoDBOperation<Decrypted<T>[]> {\n  private encryptionClient: EncryptionClient\n  private items: Record<string, EncryptedValue | unknown>[]\n  private table: ProtectTable<ProtectTableColumn>\n\n  constructor(\n    encryptionClient: EncryptionClient,\n    items: Record<string, EncryptedValue | unknown>[],\n    table: ProtectTable<ProtectTableColumn>,\n    options?: DynamoDBOperationOptions,\n  ) {\n    super(options)\n    this.encryptionClient = encryptionClient\n    this.items = items\n    this.table = table\n  }\n\n  public async execute(): Promise<\n    Result<Decrypted<T>[], EncryptedDynamoDBError>\n  > {\n    return await withResult(\n      async () => {\n        const itemsWithEqlPayloads = this.items.map((item) =>\n          toItemWithEqlPayloads(item, this.table),\n        )\n\n        const decryptResult = await this.encryptionClient\n          .bulkDecryptModels<T>(itemsWithEqlPayloads as T[])\n          .audit(this.getAuditData())\n\n        if (decryptResult.failure) {\n          // Create an Error object that preserves the FFI error code\n          // This is necessary because withResult's ensureError wraps non-Error objects\n          const error = new Error(decryptResult.failure.message) as Error & {\n            code?: string\n          }\n          error.code = decryptResult.failure.code\n          throw error\n        }\n\n        return decryptResult.data\n      },\n      (error) =>\n        handleError(error, 'bulkDecryptModels', {\n          logger: this.logger,\n          errorHandler: this.errorHandler,\n        }),\n    )\n  }\n}\n","import type { ProtectTable, ProtectTableColumn } from '@/schema'\nimport type { EncryptedValue } from '@/types'\nimport type { ProtectErrorCode } from '@cipherstash/protect-ffi'\nimport { ProtectError as FfiProtectError } from '@cipherstash/protect-ffi'\nimport type { EncryptedDynamoDBError } from './types'\n\nexport const ciphertextAttrSuffix = '__source'\nexport const searchTermAttrSuffix = '__hmac'\n\nexport class EncryptedDynamoDBErrorImpl\n  extends Error\n  implements EncryptedDynamoDBError\n{\n  constructor(\n    message: string,\n    public code: ProtectErrorCode | 'DYNAMODB_ENCRYPTION_ERROR',\n    public details?: Record<string, unknown>,\n  ) {\n    super(message)\n    this.name = 'EncryptedDynamoDBError'\n  }\n}\n\nexport function handleError(\n  error: unknown,\n  context: string,\n  options?: {\n    logger?: {\n      error: (message: string, error: Error) => void\n    }\n    errorHandler?: (error: EncryptedDynamoDBError) => void\n  },\n): EncryptedDynamoDBError {\n  // Preserve FFI error code if available, otherwise use generic DynamoDB error code\n  // Check for FfiProtectError instance or plain error objects with code property\n  const errorObj = error as Record<string, unknown>\n  const errorCode =\n    error instanceof FfiProtectError\n      ? error.code\n      : errorObj &&\n          typeof errorObj === 'object' &&\n          'code' in errorObj &&\n          typeof errorObj.code === 'string'\n        ? (errorObj.code as ProtectErrorCode)\n        : 'DYNAMODB_ENCRYPTION_ERROR'\n\n  const errorMessage =\n    error instanceof Error\n      ? error.message\n      : errorObj && typeof errorObj.message === 'string'\n        ? errorObj.message\n        : String(error)\n\n  const dynamoError = new EncryptedDynamoDBErrorImpl(errorMessage, errorCode, {\n    context,\n  })\n\n  if (options?.errorHandler) {\n    options.errorHandler(dynamoError)\n  }\n\n  if (options?.logger) {\n    options.logger.error(`Error in ${context}`, dynamoError)\n  }\n\n  return dynamoError\n}\n\nexport function deepClone<T>(obj: T): T {\n  if (obj === null || typeof obj !== 'object') {\n    return obj\n  }\n\n  if (Array.isArray(obj)) {\n    return obj.map((item) => deepClone(item)) as unknown as T\n  }\n\n  return Object.entries(obj as Record<string, unknown>).reduce(\n    (acc, [key, value]) => ({\n      // biome-ignore lint/performance/noAccumulatingSpread: TODO later\n      ...acc,\n      [key]: deepClone(value),\n    }),\n    {} as T,\n  )\n}\n\nexport function toEncryptedDynamoItem(\n  encrypted: Record<string, unknown>,\n  encryptedAttrs: string[],\n): Record<string, unknown> {\n  function processValue(\n    attrName: string,\n    attrValue: unknown,\n    isNested: boolean,\n  ): Record<string, unknown> {\n    if (attrValue === null || attrValue === undefined) {\n      return { [attrName]: attrValue }\n    }\n\n    // Handle encrypted payload\n    if (\n      encryptedAttrs.includes(attrName) ||\n      (isNested &&\n        typeof attrValue === 'object' &&\n        'c' in (attrValue as object))\n    ) {\n      const encryptPayload = attrValue as EncryptedValue\n      if (encryptPayload?.c) {\n        const result: Record<string, unknown> = {}\n        if (encryptPayload.hm) {\n          result[`${attrName}${searchTermAttrSuffix}`] = encryptPayload.hm\n        }\n        result[`${attrName}${ciphertextAttrSuffix}`] = encryptPayload.c\n        return result\n      }\n\n      if (encryptPayload?.sv) {\n        const result: Record<string, unknown> = {}\n        result[`${attrName}${ciphertextAttrSuffix}`] = encryptPayload.sv\n        return result\n      }\n    }\n\n    // Handle nested objects recursively\n    if (typeof attrValue === 'object' && !Array.isArray(attrValue)) {\n      const nestedResult = Object.entries(\n        attrValue as Record<string, unknown>,\n      ).reduce(\n        (acc, [key, val]) => {\n          const processed = processValue(key, val, true)\n          return Object.assign({}, acc, processed)\n        },\n        {} as Record<string, unknown>,\n      )\n      return { [attrName]: nestedResult }\n    }\n\n    // Handle non-encrypted values\n    return { [attrName]: attrValue }\n  }\n\n  return Object.entries(encrypted).reduce(\n    (putItem, [attrName, attrValue]) => {\n      const processed = processValue(attrName, attrValue, false)\n      return Object.assign({}, putItem, processed)\n    },\n    {} as Record<string, unknown>,\n  )\n}\n\nexport function toItemWithEqlPayloads(\n  decrypted: Record<string, EncryptedValue | unknown>,\n  encryptionSchema: ProtectTable<ProtectTableColumn>,\n): Record<string, unknown> {\n  function processValue(\n    attrName: string,\n    attrValue: unknown,\n    isNested: boolean,\n  ): Record<string, unknown> {\n    if (attrValue === null || attrValue === undefined) {\n      return { [attrName]: attrValue }\n    }\n\n    // Skip HMAC fields\n    if (attrName.endsWith(searchTermAttrSuffix)) {\n      return {}\n    }\n\n    const encryptConfig = encryptionSchema.build()\n    const encryptedAttrs = Object.keys(encryptConfig.columns)\n    const columnName = attrName.slice(0, -ciphertextAttrSuffix.length)\n\n    // Handle encrypted payload\n    if (\n      attrName.endsWith(ciphertextAttrSuffix) &&\n      (encryptedAttrs.includes(columnName) || isNested)\n    ) {\n      const i = { c: columnName, t: encryptConfig.tableName }\n      const v = 2\n\n      // Nested values are not searchable, so we can just return the standard EQL payload.\n      // Worth noting, that encryptConfig.columns[columnName] will be undefined if isNested is true.\n      if (\n        !isNested &&\n        encryptConfig.columns[columnName].cast_as === 'json' &&\n        encryptConfig.columns[columnName].indexes.ste_vec\n      ) {\n        return {\n          [columnName]: {\n            i,\n            v,\n            k: 'sv',\n            sv: attrValue,\n          },\n        }\n      }\n\n      return {\n        [columnName]: {\n          i,\n          v,\n          k: 'ct',\n          c: attrValue,\n        },\n      }\n    }\n\n    // Handle nested objects recursively\n    if (typeof attrValue === 'object' && !Array.isArray(attrValue)) {\n      const nestedResult = Object.entries(\n        attrValue as Record<string, unknown>,\n      ).reduce(\n        (acc, [key, val]) => {\n          const processed = processValue(key, val, true)\n          return Object.assign({}, acc, processed)\n        },\n        {} as Record<string, unknown>,\n      )\n      return { [attrName]: nestedResult }\n    }\n\n    // Handle non-encrypted values\n    return { [attrName]: attrValue }\n  }\n\n  return Object.entries(decrypted).reduce(\n    (formattedItem, [attrName, attrValue]) => {\n      const processed = processValue(attrName, attrValue, false)\n      return Object.assign({}, formattedItem, processed)\n    },\n    {} as Record<string, unknown>,\n  )\n}\n","import type { Result } from '@byteslice/result'\nimport type { EncryptedDynamoDBError } from '../types'\n\nexport type AuditConfig = {\n  metadata?: Record<string, unknown>\n}\n\nexport type AuditData = {\n  metadata?: Record<string, unknown>\n}\n\nexport type DynamoDBOperationOptions = {\n  logger?: {\n    error: (message: string, error: Error) => void\n  }\n  errorHandler?: (error: EncryptedDynamoDBError) => void\n}\n\nexport abstract class DynamoDBOperation<T> {\n  protected auditMetadata?: Record<string, unknown>\n  protected logger?: DynamoDBOperationOptions['logger']\n  protected errorHandler?: DynamoDBOperationOptions['errorHandler']\n\n  constructor(options?: DynamoDBOperationOptions) {\n    this.logger = options?.logger\n    this.errorHandler = options?.errorHandler\n  }\n\n  /**\n   * Attach audit metadata to this operation. Can be chained.\n   */\n  audit(config: AuditConfig): this {\n    this.auditMetadata = config.metadata\n    return this\n  }\n\n  /**\n   * Get the audit metadata for this operation.\n   */\n  protected getAuditData(): AuditData {\n    return {\n      metadata: this.auditMetadata,\n    }\n  }\n\n  /**\n   * Execute the operation and return a Result\n   */\n  abstract execute(): Promise<Result<T, EncryptedDynamoDBError>>\n\n  /**\n   * Make the operation thenable\n   */\n  public then<TResult1 = Result<T, EncryptedDynamoDBError>, TResult2 = never>(\n    onfulfilled?:\n      | ((\n          value: Result<T, EncryptedDynamoDBError>,\n        ) => TResult1 | PromiseLike<TResult1>)\n      | null,\n    onrejected?: ((reason: unknown) => TResult2 | PromiseLike<TResult2>) | null,\n  ): Promise<TResult1 | TResult2> {\n    return this.execute().then(onfulfilled, onrejected)\n  }\n}\n","import type { EncryptionClient } from '@/encryption/ffi'\nimport type { ProtectTable, ProtectTableColumn } from '@/schema'\nimport { type Result, withResult } from '@byteslice/result'\nimport { deepClone, handleError, toEncryptedDynamoItem } from '../helpers'\nimport type { EncryptedDynamoDBError } from '../types'\nimport {\n  DynamoDBOperation,\n  type DynamoDBOperationOptions,\n} from './base-operation'\n\nexport class BulkEncryptModelsOperation<\n  T extends Record<string, unknown>,\n> extends DynamoDBOperation<T[]> {\n  private encryptionClient: EncryptionClient\n  private items: T[]\n  private table: ProtectTable<ProtectTableColumn>\n\n  constructor(\n    encryptionClient: EncryptionClient,\n    items: T[],\n    table: ProtectTable<ProtectTableColumn>,\n    options?: DynamoDBOperationOptions,\n  ) {\n    super(options)\n    this.encryptionClient = encryptionClient\n    this.items = items\n    this.table = table\n  }\n\n  public async execute(): Promise<Result<T[], EncryptedDynamoDBError>> {\n    return await withResult(\n      async () => {\n        const encryptResult = await this.encryptionClient\n          .bulkEncryptModels(\n            this.items.map((item) => deepClone(item)),\n            this.table,\n          )\n          .audit(this.getAuditData())\n\n        if (encryptResult.failure) {\n          // Create an Error object that preserves the FFI error code\n          // This is necessary because withResult's ensureError wraps non-Error objects\n          const error = new Error(encryptResult.failure.message) as Error & {\n            code?: string\n          }\n          error.code = encryptResult.failure.code\n          throw error\n        }\n\n        const data = encryptResult.data.map((item) => deepClone(item))\n        const encryptedAttrs = Object.keys(this.table.build().columns)\n\n        return data.map(\n          (encrypted) => toEncryptedDynamoItem(encrypted, encryptedAttrs) as T,\n        )\n      },\n      (error) =>\n        handleError(error, 'bulkEncryptModels', {\n          logger: this.logger,\n          errorHandler: this.errorHandler,\n        }),\n    )\n  }\n}\n","import type { EncryptionClient } from '@/encryption/ffi'\nimport type { ProtectTable, ProtectTableColumn } from '@/schema'\nimport type { Decrypted, EncryptedValue } from '@/types'\nimport { type Result, withResult } from '@byteslice/result'\nimport { handleError, toItemWithEqlPayloads } from '../helpers'\nimport type { EncryptedDynamoDBError } from '../types'\nimport {\n  DynamoDBOperation,\n  type DynamoDBOperationOptions,\n} from './base-operation'\n\nexport class DecryptModelOperation<\n  T extends Record<string, unknown>,\n> extends DynamoDBOperation<Decrypted<T>> {\n  private encryptionClient: EncryptionClient\n  private item: Record<string, EncryptedValue | unknown>\n  private table: ProtectTable<ProtectTableColumn>\n\n  constructor(\n    encryptionClient: EncryptionClient,\n    item: Record<string, EncryptedValue | unknown>,\n    table: ProtectTable<ProtectTableColumn>,\n    options?: DynamoDBOperationOptions,\n  ) {\n    super(options)\n    this.encryptionClient = encryptionClient\n    this.item = item\n    this.table = table\n  }\n\n  public async execute(): Promise<\n    Result<Decrypted<T>, EncryptedDynamoDBError>\n  > {\n    return await withResult(\n      async () => {\n        const withEqlPayloads = toItemWithEqlPayloads(this.item, this.table)\n\n        const decryptResult = await this.encryptionClient\n          .decryptModel<T>(withEqlPayloads as T)\n          .audit(this.getAuditData())\n\n        if (decryptResult.failure) {\n          // Create an Error object that preserves the FFI error code\n          // This is necessary because withResult's ensureError wraps non-Error objects\n          const error = new Error(decryptResult.failure.message) as Error & {\n            code?: string\n          }\n          error.code = decryptResult.failure.code\n          throw error\n        }\n\n        return decryptResult.data\n      },\n      (error) =>\n        handleError(error, 'decryptModel', {\n          logger: this.logger,\n          errorHandler: this.errorHandler,\n        }),\n    )\n  }\n}\n","import type { EncryptionClient } from '@/encryption/ffi'\nimport type { ProtectTable, ProtectTableColumn } from '@/schema'\nimport { type Result, withResult } from '@byteslice/result'\nimport { deepClone, handleError, toEncryptedDynamoItem } from '../helpers'\nimport type { EncryptedDynamoDBError } from '../types'\nimport {\n  DynamoDBOperation,\n  type DynamoDBOperationOptions,\n} from './base-operation'\n\nexport class EncryptModelOperation<\n  T extends Record<string, unknown>,\n> extends DynamoDBOperation<T> {\n  private encryptionClient: EncryptionClient\n  private item: T\n  private table: ProtectTable<ProtectTableColumn>\n\n  constructor(\n    encryptionClient: EncryptionClient,\n    item: T,\n    table: ProtectTable<ProtectTableColumn>,\n    options?: DynamoDBOperationOptions,\n  ) {\n    super(options)\n    this.encryptionClient = encryptionClient\n    this.item = item\n    this.table = table\n  }\n\n  public async execute(): Promise<Result<T, EncryptedDynamoDBError>> {\n    return await withResult(\n      async () => {\n        const encryptResult = await this.encryptionClient\n          .encryptModel(deepClone(this.item), this.table)\n          .audit(this.getAuditData())\n\n        if (encryptResult.failure) {\n          // Create an Error object that preserves the FFI error code\n          // This is necessary because withResult's ensureError wraps non-Error objects\n          const error = new Error(encryptResult.failure.message) as Error & {\n            code?: string\n          }\n          error.code = encryptResult.failure.code\n          throw error\n        }\n\n        const data = deepClone(encryptResult.data)\n        const encryptedAttrs = Object.keys(this.table.build().columns)\n\n        return toEncryptedDynamoItem(data, encryptedAttrs) as T\n      },\n      (error) =>\n        handleError(error, 'encryptModel', {\n          logger: this.logger,\n          errorHandler: this.errorHandler,\n        }),\n    )\n  }\n}\n","import type { ProtectTable, ProtectTableColumn } from '@/schema'\nimport type { EncryptedValue } from '@/types'\nimport { BulkDecryptModelsOperation } from './operations/bulk-decrypt-models'\nimport { BulkEncryptModelsOperation } from './operations/bulk-encrypt-models'\nimport { DecryptModelOperation } from './operations/decrypt-model'\nimport { EncryptModelOperation } from './operations/encrypt-model'\nimport type {\n  EncryptedDynamoDBConfig,\n  EncryptedDynamoDBInstance,\n} from './types'\n\n/**\n * Create an encrypted DynamoDB helper bound to an `EncryptionClient`.\n *\n * Returns an object with `encryptModel`, `decryptModel`, `bulkEncryptModels`,\n * and `bulkDecryptModels` methods that transparently encrypt/decrypt DynamoDB\n * items according to the provided table schema.\n *\n * @param config - Configuration containing the `encryptionClient` and optional\n *   logging / error-handling callbacks.\n * @returns An {@link EncryptedDynamoDBInstance} with encrypt/decrypt operations.\n *\n * @example\n * ```typescript\n * import { Encryption } from \"@cipherstash/stack\"\n * import { encryptedDynamoDB } from \"@cipherstash/stack/dynamodb\"\n * import { encryptedTable, encryptedColumn } from \"@cipherstash/stack/schema\"\n *\n * const users = encryptedTable(\"users\", {\n *   email: encryptedColumn(\"email\").equality(),\n * })\n *\n * const client = await Encryption({ schemas: [users] })\n * const dynamo = encryptedDynamoDB({ encryptionClient: client })\n *\n * const encrypted = await dynamo.encryptModel({ email: \"a@b.com\" }, users)\n * ```\n */\nexport function encryptedDynamoDB(\n  config: EncryptedDynamoDBConfig,\n): EncryptedDynamoDBInstance {\n  const { encryptionClient, options } = config\n\n  return {\n    encryptModel<T extends Record<string, unknown>>(\n      item: T,\n      table: ProtectTable<ProtectTableColumn>,\n    ) {\n      return new EncryptModelOperation<T>(\n        encryptionClient,\n        item,\n        table,\n        options,\n      )\n    },\n\n    bulkEncryptModels<T extends Record<string, unknown>>(\n      items: T[],\n      table: ProtectTable<ProtectTableColumn>,\n    ) {\n      return new BulkEncryptModelsOperation<T>(\n        encryptionClient,\n        items,\n        table,\n        options,\n      )\n    },\n\n    decryptModel<T extends Record<string, unknown>>(\n      item: Record<string, EncryptedValue | unknown>,\n      table: ProtectTable<ProtectTableColumn>,\n    ) {\n      return new DecryptModelOperation<T>(\n        encryptionClient,\n        item,\n        table,\n        options,\n      )\n    },\n\n    bulkDecryptModels<T extends Record<string, unknown>>(\n      items: Record<string, EncryptedValue | unknown>[],\n      table: ProtectTable<ProtectTableColumn>,\n    ) {\n      return new BulkDecryptModelsOperation<T>(\n        encryptionClient,\n        items,\n        table,\n        options,\n      )\n    },\n  }\n}\n\nexport type {\n  EncryptedDynamoDBConfig,\n  EncryptedDynamoDBError,\n  EncryptedDynamoDBInstance,\n} from './types'\n"],"mappings":";AAGA,SAAsB,kBAAkB;;;ACAxC,SAAS,gBAAgB,uBAAuB;AAGzC,IAAM,uBAAuB;AAC7B,IAAM,uBAAuB;AAE7B,IAAM,6BAAN,cACG,MAEV;AAAA,EACE,YACE,SACO,MACA,SACP;AACA,UAAM,OAAO;AAHN;AACA;AAGP,SAAK,OAAO;AAAA,EACd;AACF;AAEO,SAAS,YACd,OACA,SACA,SAMwB;AAGxB,QAAM,WAAW;AACjB,QAAM,YACJ,iBAAiB,kBACb,MAAM,OACN,YACE,OAAO,aAAa,YACpB,UAAU,YACV,OAAO,SAAS,SAAS,WACxB,SAAS,OACV;AAER,QAAM,eACJ,iBAAiB,QACb,MAAM,UACN,YAAY,OAAO,SAAS,YAAY,WACtC,SAAS,UACT,OAAO,KAAK;AAEpB,QAAM,cAAc,IAAI,2BAA2B,cAAc,WAAW;AAAA,IAC1E;AAAA,EACF,CAAC;AAED,MAAI,SAAS,cAAc;AACzB,YAAQ,aAAa,WAAW;AAAA,EAClC;AAEA,MAAI,SAAS,QAAQ;AACnB,YAAQ,OAAO,MAAM,YAAY,OAAO,IAAI,WAAW;AAAA,EACzD;AAEA,SAAO;AACT;AAEO,SAAS,UAAa,KAAW;AACtC,MAAI,QAAQ,QAAQ,OAAO,QAAQ,UAAU;AAC3C,WAAO;AAAA,EACT;AAEA,MAAI,MAAM,QAAQ,GAAG,GAAG;AACtB,WAAO,IAAI,IAAI,CAAC,SAAS,UAAU,IAAI,CAAC;AAAA,EAC1C;AAEA,SAAO,OAAO,QAAQ,GAA8B,EAAE;AAAA,IACpD,CAAC,KAAK,CAAC,KAAK,KAAK,OAAO;AAAA;AAAA,MAEtB,GAAG;AAAA,MACH,CAAC,GAAG,GAAG,UAAU,KAAK;AAAA,IACxB;AAAA,IACA,CAAC;AAAA,EACH;AACF;AAEO,SAAS,sBACd,WACA,gBACyB;AACzB,WAAS,aACP,UACA,WACA,UACyB;AACzB,QAAI,cAAc,QAAQ,cAAc,QAAW;AACjD,aAAO,EAAE,CAAC,QAAQ,GAAG,UAAU;AAAA,IACjC;AAGA,QACE,eAAe,SAAS,QAAQ,KAC/B,YACC,OAAO,cAAc,YACrB,OAAQ,WACV;AACA,YAAM,iBAAiB;AACvB,UAAI,gBAAgB,GAAG;AACrB,cAAM,SAAkC,CAAC;AACzC,YAAI,eAAe,IAAI;AACrB,iBAAO,GAAG,QAAQ,GAAG,oBAAoB,EAAE,IAAI,eAAe;AAAA,QAChE;AACA,eAAO,GAAG,QAAQ,GAAG,oBAAoB,EAAE,IAAI,eAAe;AAC9D,eAAO;AAAA,MACT;AAEA,UAAI,gBAAgB,IAAI;AACtB,cAAM,SAAkC,CAAC;AACzC,eAAO,GAAG,QAAQ,GAAG,oBAAoB,EAAE,IAAI,eAAe;AAC9D,eAAO;AAAA,MACT;AAAA,IACF;AAGA,QAAI,OAAO,cAAc,YAAY,CAAC,MAAM,QAAQ,SAAS,GAAG;AAC9D,YAAM,eAAe,OAAO;AAAA,QAC1B;AAAA,MACF,EAAE;AAAA,QACA,CAAC,KAAK,CAAC,KAAK,GAAG,MAAM;AACnB,gBAAM,YAAY,aAAa,KAAK,KAAK,IAAI;AAC7C,iBAAO,OAAO,OAAO,CAAC,GAAG,KAAK,SAAS;AAAA,QACzC;AAAA,QACA,CAAC;AAAA,MACH;AACA,aAAO,EAAE,CAAC,QAAQ,GAAG,aAAa;AAAA,IACpC;AAGA,WAAO,EAAE,CAAC,QAAQ,GAAG,UAAU;AAAA,EACjC;AAEA,SAAO,OAAO,QAAQ,SAAS,EAAE;AAAA,IAC/B,CAAC,SAAS,CAAC,UAAU,SAAS,MAAM;AAClC,YAAM,YAAY,aAAa,UAAU,WAAW,KAAK;AACzD,aAAO,OAAO,OAAO,CAAC,GAAG,SAAS,SAAS;AAAA,IAC7C;AAAA,IACA,CAAC;AAAA,EACH;AACF;AAEO,SAAS,sBACd,WACA,kBACyB;AACzB,WAAS,aACP,UACA,WACA,UACyB;AACzB,QAAI,cAAc,QAAQ,cAAc,QAAW;AACjD,aAAO,EAAE,CAAC,QAAQ,GAAG,UAAU;AAAA,IACjC;AAGA,QAAI,SAAS,SAAS,oBAAoB,GAAG;AAC3C,aAAO,CAAC;AAAA,IACV;AAEA,UAAM,gBAAgB,iBAAiB,MAAM;AAC7C,UAAM,iBAAiB,OAAO,KAAK,cAAc,OAAO;AACxD,UAAM,aAAa,SAAS,MAAM,GAAG,CAAC,qBAAqB,MAAM;AAGjE,QACE,SAAS,SAAS,oBAAoB,MACrC,eAAe,SAAS,UAAU,KAAK,WACxC;AACA,YAAM,IAAI,EAAE,GAAG,YAAY,GAAG,cAAc,UAAU;AACtD,YAAM,IAAI;AAIV,UACE,CAAC,YACD,cAAc,QAAQ,UAAU,EAAE,YAAY,UAC9C,cAAc,QAAQ,UAAU,EAAE,QAAQ,SAC1C;AACA,eAAO;AAAA,UACL,CAAC,UAAU,GAAG;AAAA,YACZ;AAAA,YACA;AAAA,YACA,GAAG;AAAA,YACH,IAAI;AAAA,UACN;AAAA,QACF;AAAA,MACF;AAEA,aAAO;AAAA,QACL,CAAC,UAAU,GAAG;AAAA,UACZ;AAAA,UACA;AAAA,UACA,GAAG;AAAA,UACH,GAAG;AAAA,QACL;AAAA,MACF;AAAA,IACF;AAGA,QAAI,OAAO,cAAc,YAAY,CAAC,MAAM,QAAQ,SAAS,GAAG;AAC9D,YAAM,eAAe,OAAO;AAAA,QAC1B;AAAA,MACF,EAAE;AAAA,QACA,CAAC,KAAK,CAAC,KAAK,GAAG,MAAM;AACnB,gBAAM,YAAY,aAAa,KAAK,KAAK,IAAI;AAC7C,iBAAO,OAAO,OAAO,CAAC,GAAG,KAAK,SAAS;AAAA,QACzC;AAAA,QACA,CAAC;AAAA,MACH;AACA,aAAO,EAAE,CAAC,QAAQ,GAAG,aAAa;AAAA,IACpC;AAGA,WAAO,EAAE,CAAC,QAAQ,GAAG,UAAU;AAAA,EACjC;AAEA,SAAO,OAAO,QAAQ,SAAS,EAAE;AAAA,IAC/B,CAAC,eAAe,CAAC,UAAU,SAAS,MAAM;AACxC,YAAM,YAAY,aAAa,UAAU,WAAW,KAAK;AACzD,aAAO,OAAO,OAAO,CAAC,GAAG,eAAe,SAAS;AAAA,IACnD;AAAA,IACA,CAAC;AAAA,EACH;AACF;;;ACvNO,IAAe,oBAAf,MAAoC;AAAA,EAC/B;AAAA,EACA;AAAA,EACA;AAAA,EAEV,YAAY,SAAoC;AAC9C,SAAK,SAAS,SAAS;AACvB,SAAK,eAAe,SAAS;AAAA,EAC/B;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,QAA2B;AAC/B,SAAK,gBAAgB,OAAO;AAC5B,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKU,eAA0B;AAClC,WAAO;AAAA,MACL,UAAU,KAAK;AAAA,IACjB;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAUO,KACL,aAKA,YAC8B;AAC9B,WAAO,KAAK,QAAQ,EAAE,KAAK,aAAa,UAAU;AAAA,EACpD;AACF;;;AFpDO,IAAM,6BAAN,cAEG,kBAAkC;AAAA,EAClC;AAAA,EACA;AAAA,EACA;AAAA,EAER,YACE,kBACA,OACA,OACA,SACA;AACA,UAAM,OAAO;AACb,SAAK,mBAAmB;AACxB,SAAK,QAAQ;AACb,SAAK,QAAQ;AAAA,EACf;AAAA,EAEA,MAAa,UAEX;AACA,WAAO,MAAM;AAAA,MACX,YAAY;AACV,cAAM,uBAAuB,KAAK,MAAM;AAAA,UAAI,CAAC,SAC3C,sBAAsB,MAAM,KAAK,KAAK;AAAA,QACxC;AAEA,cAAM,gBAAgB,MAAM,KAAK,iBAC9B,kBAAqB,oBAA2B,EAChD,MAAM,KAAK,aAAa,CAAC;AAE5B,YAAI,cAAc,SAAS;AAGzB,gBAAM,QAAQ,IAAI,MAAM,cAAc,QAAQ,OAAO;AAGrD,gBAAM,OAAO,cAAc,QAAQ;AACnC,gBAAM;AAAA,QACR;AAEA,eAAO,cAAc;AAAA,MACvB;AAAA,MACA,CAAC,UACC,YAAY,OAAO,qBAAqB;AAAA,QACtC,QAAQ,KAAK;AAAA,QACb,cAAc,KAAK;AAAA,MACrB,CAAC;AAAA,IACL;AAAA,EACF;AACF;;;AG5DA,SAAsB,cAAAA,mBAAkB;AAQjC,IAAM,6BAAN,cAEG,kBAAuB;AAAA,EACvB;AAAA,EACA;AAAA,EACA;AAAA,EAER,YACE,kBACA,OACA,OACA,SACA;AACA,UAAM,OAAO;AACb,SAAK,mBAAmB;AACxB,SAAK,QAAQ;AACb,SAAK,QAAQ;AAAA,EACf;AAAA,EAEA,MAAa,UAAwD;AACnE,WAAO,MAAMC;AAAA,MACX,YAAY;AACV,cAAM,gBAAgB,MAAM,KAAK,iBAC9B;AAAA,UACC,KAAK,MAAM,IAAI,CAAC,SAAS,UAAU,IAAI,CAAC;AAAA,UACxC,KAAK;AAAA,QACP,EACC,MAAM,KAAK,aAAa,CAAC;AAE5B,YAAI,cAAc,SAAS;AAGzB,gBAAM,QAAQ,IAAI,MAAM,cAAc,QAAQ,OAAO;AAGrD,gBAAM,OAAO,cAAc,QAAQ;AACnC,gBAAM;AAAA,QACR;AAEA,cAAM,OAAO,cAAc,KAAK,IAAI,CAAC,SAAS,UAAU,IAAI,CAAC;AAC7D,cAAM,iBAAiB,OAAO,KAAK,KAAK,MAAM,MAAM,EAAE,OAAO;AAE7D,eAAO,KAAK;AAAA,UACV,CAAC,cAAc,sBAAsB,WAAW,cAAc;AAAA,QAChE;AAAA,MACF;AAAA,MACA,CAAC,UACC,YAAY,OAAO,qBAAqB;AAAA,QACtC,QAAQ,KAAK;AAAA,QACb,cAAc,KAAK;AAAA,MACrB,CAAC;AAAA,IACL;AAAA,EACF;AACF;;;AC5DA,SAAsB,cAAAC,mBAAkB;AAQjC,IAAM,wBAAN,cAEG,kBAAgC;AAAA,EAChC;AAAA,EACA;AAAA,EACA;AAAA,EAER,YACE,kBACA,MACA,OACA,SACA;AACA,UAAM,OAAO;AACb,SAAK,mBAAmB;AACxB,SAAK,OAAO;AACZ,SAAK,QAAQ;AAAA,EACf;AAAA,EAEA,MAAa,UAEX;AACA,WAAO,MAAMC;AAAA,MACX,YAAY;AACV,cAAM,kBAAkB,sBAAsB,KAAK,MAAM,KAAK,KAAK;AAEnE,cAAM,gBAAgB,MAAM,KAAK,iBAC9B,aAAgB,eAAoB,EACpC,MAAM,KAAK,aAAa,CAAC;AAE5B,YAAI,cAAc,SAAS;AAGzB,gBAAM,QAAQ,IAAI,MAAM,cAAc,QAAQ,OAAO;AAGrD,gBAAM,OAAO,cAAc,QAAQ;AACnC,gBAAM;AAAA,QACR;AAEA,eAAO,cAAc;AAAA,MACvB;AAAA,MACA,CAAC,UACC,YAAY,OAAO,gBAAgB;AAAA,QACjC,QAAQ,KAAK;AAAA,QACb,cAAc,KAAK;AAAA,MACrB,CAAC;AAAA,IACL;AAAA,EACF;AACF;;;AC1DA,SAAsB,cAAAC,mBAAkB;AAQjC,IAAM,wBAAN,cAEG,kBAAqB;AAAA,EACrB;AAAA,EACA;AAAA,EACA;AAAA,EAER,YACE,kBACA,MACA,OACA,SACA;AACA,UAAM,OAAO;AACb,SAAK,mBAAmB;AACxB,SAAK,OAAO;AACZ,SAAK,QAAQ;AAAA,EACf;AAAA,EAEA,MAAa,UAAsD;AACjE,WAAO,MAAMC;AAAA,MACX,YAAY;AACV,cAAM,gBAAgB,MAAM,KAAK,iBAC9B,aAAa,UAAU,KAAK,IAAI,GAAG,KAAK,KAAK,EAC7C,MAAM,KAAK,aAAa,CAAC;AAE5B,YAAI,cAAc,SAAS;AAGzB,gBAAM,QAAQ,IAAI,MAAM,cAAc,QAAQ,OAAO;AAGrD,gBAAM,OAAO,cAAc,QAAQ;AACnC,gBAAM;AAAA,QACR;AAEA,cAAM,OAAO,UAAU,cAAc,IAAI;AACzC,cAAM,iBAAiB,OAAO,KAAK,KAAK,MAAM,MAAM,EAAE,OAAO;AAE7D,eAAO,sBAAsB,MAAM,cAAc;AAAA,MACnD;AAAA,MACA,CAAC,UACC,YAAY,OAAO,gBAAgB;AAAA,QACjC,QAAQ,KAAK;AAAA,QACb,cAAc,KAAK;AAAA,MACrB,CAAC;AAAA,IACL;AAAA,EACF;AACF;;;ACpBO,SAAS,kBACd,QAC2B;AAC3B,QAAM,EAAE,kBAAkB,QAAQ,IAAI;AAEtC,SAAO;AAAA,IACL,aACE,MACA,OACA;AACA,aAAO,IAAI;AAAA,QACT;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF;AAAA,IACF;AAAA,IAEA,kBACE,OACA,OACA;AACA,aAAO,IAAI;AAAA,QACT;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF;AAAA,IACF;AAAA,IAEA,aACE,MACA,OACA;AACA,aAAO,IAAI;AAAA,QACT;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF;AAAA,IACF;AAAA,IAEA,kBACE,OACA,OACA;AACA,aAAO,IAAI;AAAA,QACT;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF;AAAA,IACF;AAAA,EACF;AACF;","names":["withResult","withResult","withResult","withResult","withResult","withResult"]}

package/dist/identity/index.cjs

@@ -0,0 +1,271 @@
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/identity/index.ts
+var identity_exports = {};
+__export(identity_exports, {
+  LockContext: () => LockContext
+});
+module.exports = __toCommonJS(identity_exports);
+
+// src/errors/index.ts
+var EncryptionErrorTypes = {
+  ClientInitError: "ClientInitError",
+  EncryptionError: "EncryptionError",
+  DecryptionError: "DecryptionError",
+  LockContextError: "LockContextError",
+  CtsTokenError: "CtsTokenError"
+};
+
+// src/utils/config/index.ts
+var import_node_fs = __toESM(require("fs"), 1);
+var import_node_path = __toESM(require("path"), 1);
+function getWorkspaceCrn(tomlString) {
+  let currentSection = "";
+  let workspaceCrn;
+  const lines = tomlString.split(/\r?\n/);
+  for (const line of lines) {
+    const trimmedLine = line.trim();
+    if (!trimmedLine || trimmedLine.startsWith("#")) {
+      continue;
+    }
+    const sectionMatch = trimmedLine.match(/^\[([^\]]+)\]$/);
+    if (sectionMatch) {
+      currentSection = sectionMatch[1];
+      continue;
+    }
+    const kvMatch = trimmedLine.match(/^(\w+)\s*=\s*"([^"]+)"$/);
+    if (kvMatch) {
+      const [_, key, value] = kvMatch;
+      if (currentSection === "auth" && key === "workspace_crn") {
+        workspaceCrn = value;
+        break;
+      }
+    }
+  }
+  return workspaceCrn;
+}
+function extractWorkspaceIdFromCrn(crn) {
+  const match = crn.match(/crn:[^:]+:([^:]+)$/);
+  if (!match) {
+    throw new Error("Invalid CRN format");
+  }
+  return match[1];
+}
+function loadWorkSpaceId(suppliedCrn) {
+  const configPath = import_node_path.default.join(process.cwd(), "cipherstash.toml");
+  if (suppliedCrn) {
+    return extractWorkspaceIdFromCrn(suppliedCrn);
+  }
+  if (!import_node_fs.default.existsSync(configPath) && !process.env.CS_WORKSPACE_CRN) {
+    throw new Error(
+      "You have not defined a workspace CRN in your config file, or the CS_WORKSPACE_CRN environment variable."
+    );
+  }
+  if (process.env.CS_WORKSPACE_CRN) {
+    return extractWorkspaceIdFromCrn(process.env.CS_WORKSPACE_CRN);
+  }
+  if (!import_node_fs.default.existsSync(configPath)) {
+    throw new Error(
+      "You have not defined a workspace CRN in your config file, or the CS_WORKSPACE_CRN environment variable."
+    );
+  }
+  const tomlString = import_node_fs.default.readFileSync(configPath, "utf8");
+  const workspaceCrn = getWorkspaceCrn(tomlString);
+  if (!workspaceCrn) {
+    throw new Error(
+      "You have not defined a workspace CRN in your config file, or the CS_WORKSPACE_CRN environment variable."
+    );
+  }
+  return extractWorkspaceIdFromCrn(workspaceCrn);
+}
+
+// src/utils/logger/index.ts
+var import_evlog = require("evlog");
+function samplingFromEnv() {
+  const env = process.env.STASH_LOG_LEVEL;
+  if (!env) return void 0;
+  const levels = ["debug", "info", "warn", "error"];
+  const idx = levels.indexOf(env);
+  if (idx === -1) return void 0;
+  return Object.fromEntries(levels.map((l, i) => [l, i >= idx ? 100 : 0]));
+}
+var initialized = false;
+function initStackLogger(config) {
+  if (initialized) return;
+  initialized = true;
+  const rates = samplingFromEnv();
+  (0, import_evlog.initLogger)({
+    env: { service: "@cipherstash/stack" },
+    enabled: config?.enabled ?? true,
+    pretty: config?.pretty,
+    ...rates && { sampling: { rates } },
+    ...config?.drain && { drain: config.drain }
+  });
+}
+initStackLogger();
+function safeMessage(args) {
+  return typeof args[0] === "string" ? args[0] : "";
+}
+var logger = {
+  debug(...args) {
+    const log = (0, import_evlog.createRequestLogger)();
+    log.set({ level: "debug", source: "@cipherstash/stack", message: safeMessage(args) });
+    log.emit();
+  },
+  info(...args) {
+    const log = (0, import_evlog.createRequestLogger)();
+    log.set({ source: "@cipherstash/stack" });
+    log.info(safeMessage(args));
+    log.emit();
+  },
+  warn(...args) {
+    const log = (0, import_evlog.createRequestLogger)();
+    log.warn(safeMessage(args));
+    log.emit();
+  },
+  error(...args) {
+    const log = (0, import_evlog.createRequestLogger)();
+    log.error(safeMessage(args));
+    log.emit();
+  }
+};
+
+// src/identity/index.ts
+var import_result = require("@byteslice/result");
+var LockContext = class {
+  ctsToken;
+  workspaceId;
+  context;
+  constructor({
+    context = { identityClaim: ["sub"] },
+    ctsToken
+  } = {}) {
+    const workspaceId = loadWorkSpaceId();
+    if (!workspaceId) {
+      throw new Error(
+        "You have not defined a workspace ID in your config file, or the CS_WORKSPACE_CRN environment variable."
+      );
+    }
+    if (ctsToken) {
+      this.ctsToken = ctsToken;
+    }
+    this.workspaceId = workspaceId;
+    this.context = context;
+    logger.debug("Successfully initialized the EQL lock context.");
+  }
+  /**
+   * Exchange a user's JWT for a CTS token and bind it to this lock context.
+   *
+   * @param jwtToken - A valid OIDC / JWT token for the current user.
+   * @returns A `Result` containing this `LockContext` (now authenticated) or an error.
+   *
+   * @example
+   * ```typescript
+   * const lc = new LockContext()
+   * const result = await lc.identify(userJwt)
+   * if (result.failure) {
+   *   console.error("Auth failed:", result.failure.message)
+   * }
+   * ```
+   */
+  async identify(jwtToken) {
+    const workspaceId = this.workspaceId;
+    const ctsEndpoint = process.env.CS_CTS_ENDPOINT || "https://ap-southeast-2.aws.auth.viturhosted.net";
+    const ctsFetchResult = await (0, import_result.withResult)(
+      () => fetch(`${ctsEndpoint}/api/authorize`, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json"
+        },
+        body: JSON.stringify({
+          workspaceId,
+          oidcToken: jwtToken
+        })
+      }),
+      (error) => ({
+        type: EncryptionErrorTypes.CtsTokenError,
+        message: error.message
+      })
+    );
+    if (ctsFetchResult.failure) {
+      return ctsFetchResult;
+    }
+    const identifiedLockContext = await (0, import_result.withResult)(
+      async () => {
+        const ctsToken = await ctsFetchResult.data.json();
+        if (!ctsToken.accessToken) {
+          throw new Error(
+            "The response from the CipherStash API did not contain an access token. Please contact support."
+          );
+        }
+        this.ctsToken = ctsToken;
+        return this;
+      },
+      (error) => ({
+        type: EncryptionErrorTypes.CtsTokenError,
+        message: error.message
+      })
+    );
+    return identifiedLockContext;
+  }
+  /**
+   * Retrieve the current CTS token and context for use with encryption operations.
+   *
+   * Must be called after {@link identify}. Returns the token/context pair that
+   * `.withLockContext()` expects.
+   *
+   * @returns A `Result` containing the CTS token and identity context, or an error
+   *   if {@link identify} has not been called.
+   */
+  getLockContext() {
+    return (0, import_result.withResult)(
+      () => {
+        if (!this.ctsToken?.accessToken || !this.ctsToken?.expiry) {
+          throw new Error(
+            "The CTS token is not set. Please call identify() with a users JWT token, or pass an existing CTS token to the LockContext constructor before calling getLockContext()."
+          );
+        }
+        return {
+          context: this.context,
+          ctsToken: this.ctsToken
+        };
+      },
+      (error) => ({
+        type: EncryptionErrorTypes.CtsTokenError,
+        message: error.message
+      })
+    );
+  }
+};
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  LockContext
+});
+//# sourceMappingURL=index.cjs.map

package/dist/identity/index.cjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/identity/index.ts","../../src/errors/index.ts","../../src/utils/config/index.ts","../../src/utils/logger/index.ts"],"sourcesContent":["import { type EncryptionError, EncryptionErrorTypes } from '@/errors'\nimport { loadWorkSpaceId } from '@/utils/config'\nimport { logger } from '@/utils/logger'\nimport { type Result, withResult } from '@byteslice/result'\n\nexport type CtsRegions = 'ap-southeast-2'\n\nexport type IdentifyOptions = {\n  fetchFromCts?: boolean\n}\n\nexport type CtsToken = {\n  accessToken: string\n  expiry: number\n}\n\nexport type Context = {\n  identityClaim: string[]\n}\n\nexport type LockContextOptions = {\n  context?: Context\n  ctsToken?: CtsToken\n}\n\nexport type GetLockContextResponse = {\n  ctsToken: CtsToken\n  context: Context\n}\n\n/**\n * Manages CipherStash lock contexts for row-level access control.\n *\n * A `LockContext` ties encryption/decryption operations to an authenticated\n * user identity via CTS (CipherStash Token Service). Call {@link identify}\n * with a user's JWT to obtain a CTS token, then pass the `LockContext`\n * to `.withLockContext()` on any encrypt/decrypt operation.\n *\n * @example\n * ```typescript\n * import { LockContext } from \"@cipherstash/stack/identity\"\n *\n * const lc = new LockContext()\n * const identified = await lc.identify(userJwt)\n *\n * if (identified.failure) throw new Error(identified.failure.message)\n *\n * const result = await client\n *   .encrypt(value, { column: users.email, table: users })\n *   .withLockContext(identified.data)\n * ```\n */\nexport class LockContext {\n  private ctsToken: CtsToken | undefined\n  private workspaceId: string\n  private context: Context\n\n  constructor({\n    context = { identityClaim: ['sub'] },\n    ctsToken,\n  }: LockContextOptions = {}) {\n    const workspaceId = loadWorkSpaceId()\n\n    if (!workspaceId) {\n      throw new Error(\n        'You have not defined a workspace ID in your config file, or the CS_WORKSPACE_CRN environment variable.',\n      )\n    }\n\n    if (ctsToken) {\n      this.ctsToken = ctsToken\n    }\n\n    this.workspaceId = workspaceId\n    this.context = context\n    logger.debug('Successfully initialized the EQL lock context.')\n  }\n\n  /**\n   * Exchange a user's JWT for a CTS token and bind it to this lock context.\n   *\n   * @param jwtToken - A valid OIDC / JWT token for the current user.\n   * @returns A `Result` containing this `LockContext` (now authenticated) or an error.\n   *\n   * @example\n   * ```typescript\n   * const lc = new LockContext()\n   * const result = await lc.identify(userJwt)\n   * if (result.failure) {\n   *   console.error(\"Auth failed:\", result.failure.message)\n   * }\n   * ```\n   */\n  async identify(\n    jwtToken: string,\n  ): Promise<Result<LockContext, EncryptionError>> {\n    const workspaceId = this.workspaceId\n\n    const ctsEndpoint =\n      process.env.CS_CTS_ENDPOINT ||\n      'https://ap-southeast-2.aws.auth.viturhosted.net'\n\n    const ctsFetchResult = await withResult(\n      () =>\n        fetch(`${ctsEndpoint}/api/authorize`, {\n          method: 'POST',\n          headers: {\n            'Content-Type': 'application/json',\n          },\n          body: JSON.stringify({\n            workspaceId,\n            oidcToken: jwtToken,\n          }),\n        }),\n      (error) => ({\n        type: EncryptionErrorTypes.CtsTokenError,\n        message: error.message,\n      }),\n    )\n\n    if (ctsFetchResult.failure) {\n      return ctsFetchResult\n    }\n\n    const identifiedLockContext = await withResult(\n      async () => {\n        const ctsToken = (await ctsFetchResult.data.json()) as CtsToken\n\n        if (!ctsToken.accessToken) {\n          throw new Error(\n            'The response from the CipherStash API did not contain an access token. Please contact support.',\n          )\n        }\n\n        this.ctsToken = ctsToken\n        return this\n      },\n      (error) => ({\n        type: EncryptionErrorTypes.CtsTokenError,\n        message: error.message,\n      }),\n    )\n\n    return identifiedLockContext\n  }\n\n  /**\n   * Retrieve the current CTS token and context for use with encryption operations.\n   *\n   * Must be called after {@link identify}. Returns the token/context pair that\n   * `.withLockContext()` expects.\n   *\n   * @returns A `Result` containing the CTS token and identity context, or an error\n   *   if {@link identify} has not been called.\n   */\n  getLockContext(): Promise<Result<GetLockContextResponse, EncryptionError>> {\n    return withResult(\n      () => {\n        if (!this.ctsToken?.accessToken || !this.ctsToken?.expiry) {\n          throw new Error(\n            'The CTS token is not set. Please call identify() with a users JWT token, or pass an existing CTS token to the LockContext constructor before calling getLockContext().',\n          )\n        }\n\n        return {\n          context: this.context,\n          ctsToken: this.ctsToken,\n        }\n      },\n      (error) => ({\n        type: EncryptionErrorTypes.CtsTokenError,\n        message: error.message,\n      }),\n    )\n  }\n}\n","import type { ProtectErrorCode } from '@cipherstash/protect-ffi'\n\nexport const EncryptionErrorTypes = {\n  ClientInitError: 'ClientInitError',\n  EncryptionError: 'EncryptionError',\n  DecryptionError: 'DecryptionError',\n  LockContextError: 'LockContextError',\n  CtsTokenError: 'CtsTokenError',\n}\n\n/**\n * Base error interface returned by all encryption operations.\n *\n * Every operation that can fail returns `Result<T, EncryptionError>`.\n * Use the `type` field to narrow to a specific error kind, or use\n * {@link StackError} for an exhaustive discriminated union.\n *\n * @example\n * ```typescript\n * const result = await client.encrypt(value, opts)\n * if (result.failure) {\n *   switch (result.failure.type) {\n *     case 'EncryptionError':\n *       console.error('Encryption failed:', result.failure.message)\n *       break\n *     case 'LockContextError':\n *       console.error('Lock context issue:', result.failure.message)\n *       break\n *   }\n * }\n * ```\n */\nexport interface EncryptionError {\n  type: (typeof EncryptionErrorTypes)[keyof typeof EncryptionErrorTypes]\n  message: string\n  code?: ProtectErrorCode\n}\n\n// ---------------------------------------------------------------------------\n// Specific error types (discriminated union members)\n// ---------------------------------------------------------------------------\n\nexport interface ClientInitError {\n  type: typeof EncryptionErrorTypes.ClientInitError\n  message: string\n}\n\nexport interface EncryptionOperationError {\n  type: typeof EncryptionErrorTypes.EncryptionError\n  message: string\n  code?: ProtectErrorCode\n}\n\nexport interface DecryptionOperationError {\n  type: typeof EncryptionErrorTypes.DecryptionError\n  message: string\n  code?: ProtectErrorCode\n}\n\nexport interface LockContextError {\n  type: typeof EncryptionErrorTypes.LockContextError\n  message: string\n}\n\nexport interface CtsTokenError {\n  type: typeof EncryptionErrorTypes.CtsTokenError\n  message: string\n}\n\n/**\n * Discriminated union of all specific error types.\n *\n * Use `StackError` when you need exhaustive error handling via `switch` on the `type` field.\n *\n * @example\n * ```typescript\n * function handleError(error: StackError) {\n *   switch (error.type) {\n *     case 'ClientInitError':\n *       // re-initialize client\n *       break\n *     case 'EncryptionError':\n *     case 'DecryptionError':\n *       // log and retry\n *       break\n *     case 'LockContextError':\n *       // re-authenticate\n *       break\n *     case 'CtsTokenError':\n *       // refresh token\n *       break\n *     default:\n *       error satisfies never\n *   }\n * }\n * ```\n */\nexport type StackError =\n  | ClientInitError\n  | EncryptionOperationError\n  | DecryptionOperationError\n  | LockContextError\n  | CtsTokenError\n\n// ---------------------------------------------------------------------------\n// Error utilities\n// ---------------------------------------------------------------------------\n\n/**\n * Safely extract an error message from an unknown thrown value.\n * Unlike `(error as Error).message`, this handles non-Error values gracefully.\n */\nexport function getErrorMessage(error: unknown): string {\n  if (error instanceof Error) return error.message\n  if (typeof error === 'string') return error\n  return String(error)\n}\n","import fs from 'node:fs'\nimport path from 'node:path'\n\n/**\n * A lightweight function that parses a TOML-like string\n * and returns the `workspace_crn` value found under `[auth]`.\n *\n * @param tomlString The contents of the TOML file as a string.\n * @returns The workspace_crn if found, otherwise undefined.\n */\nfunction getWorkspaceCrn(tomlString: string): string | undefined {\n  let currentSection = ''\n  let workspaceCrn: string | undefined\n\n  const lines = tomlString.split(/\\r?\\n/)\n\n  for (const line of lines) {\n    const trimmedLine = line.trim()\n\n    if (!trimmedLine || trimmedLine.startsWith('#')) {\n      continue\n    }\n\n    const sectionMatch = trimmedLine.match(/^\\[([^\\]]+)\\]$/)\n    if (sectionMatch) {\n      currentSection = sectionMatch[1]\n      continue\n    }\n\n    const kvMatch = trimmedLine.match(/^(\\w+)\\s*=\\s*\"([^\"]+)\"$/)\n    if (kvMatch) {\n      const [_, key, value] = kvMatch\n\n      if (currentSection === 'auth' && key === 'workspace_crn') {\n        workspaceCrn = value\n        break\n      }\n    }\n  }\n\n  return workspaceCrn\n}\n\n/**\n * Extracts the workspace ID from a CRN string.\n * CRN format: crn:region.aws:ID\n *\n * @param crn The CRN string to extract from\n * @returns The workspace ID portion of the CRN\n */\nexport function extractWorkspaceIdFromCrn(crn: string): string {\n  const match = crn.match(/crn:[^:]+:([^:]+)$/)\n  if (!match) {\n    throw new Error('Invalid CRN format')\n  }\n  return match[1]\n}\n\nexport function loadWorkSpaceId(suppliedCrn?: string): string {\n  const configPath = path.join(process.cwd(), 'cipherstash.toml')\n\n  if (suppliedCrn) {\n    return extractWorkspaceIdFromCrn(suppliedCrn)\n  }\n\n  if (!fs.existsSync(configPath) && !process.env.CS_WORKSPACE_CRN) {\n    throw new Error(\n      'You have not defined a workspace CRN in your config file, or the CS_WORKSPACE_CRN environment variable.',\n    )\n  }\n\n  // Environment variables take precedence over config files\n  if (process.env.CS_WORKSPACE_CRN) {\n    return extractWorkspaceIdFromCrn(process.env.CS_WORKSPACE_CRN)\n  }\n\n  if (!fs.existsSync(configPath)) {\n    throw new Error(\n      'You have not defined a workspace CRN in your config file, or the CS_WORKSPACE_CRN environment variable.',\n    )\n  }\n\n  const tomlString = fs.readFileSync(configPath, 'utf8')\n  const workspaceCrn = getWorkspaceCrn(tomlString)\n\n  if (!workspaceCrn) {\n    throw new Error(\n      'You have not defined a workspace CRN in your config file, or the CS_WORKSPACE_CRN environment variable.',\n    )\n  }\n\n  return extractWorkspaceIdFromCrn(workspaceCrn)\n}\n","import { initLogger, createRequestLogger } from 'evlog'\nimport type { LoggerConfig } from 'evlog'\n\nexport type LoggingConfig = {\n  enabled?: boolean\n  pretty?: boolean\n  drain?: LoggerConfig['drain']\n}\n\nfunction samplingFromEnv() {\n  const env = process.env.STASH_LOG_LEVEL\n  if (!env) return undefined\n  const levels = ['debug', 'info', 'warn', 'error'] as const\n  const idx = levels.indexOf(env as (typeof levels)[number])\n  if (idx === -1) return undefined\n  return Object.fromEntries(levels.map((l, i) => [l, i >= idx ? 100 : 0]))\n}\n\nlet initialized = false\n\nexport function initStackLogger(config?: LoggingConfig): void {\n  if (initialized) return\n  initialized = true\n  const rates = samplingFromEnv()\n  initLogger({\n    env: { service: '@cipherstash/stack' },\n    enabled: config?.enabled ?? true,\n    pretty: config?.pretty,\n    ...(rates && { sampling: { rates } }),\n    ...(config?.drain && { drain: config.drain }),\n  })\n}\n\n// Auto-init with defaults on first import\ninitStackLogger()\n\nexport { createRequestLogger }\n\n// Stringify only the first arg (the message string); drop subsequent args\n// which may contain sensitive objects (e.g. encryptConfig, plaintext).\nfunction safeMessage(args: unknown[]): string {\n  return typeof args[0] === 'string' ? args[0] : ''\n}\n\n// Legacy logger for simple one-off logs (used by encryption/ffi/index.ts + identity/index.ts)\nexport const logger = {\n  debug(...args: unknown[]) {\n    const log = createRequestLogger()\n    log.set({ level: 'debug', source: '@cipherstash/stack', message: safeMessage(args) })\n    log.emit()\n  },\n  info(...args: unknown[]) {\n    const log = createRequestLogger()\n    log.set({ source: '@cipherstash/stack' })\n    log.info(safeMessage(args))\n    log.emit()\n  },\n  warn(...args: unknown[]) {\n    const log = createRequestLogger()\n    log.warn(safeMessage(args))\n    log.emit()\n  },\n  error(...args: unknown[]) {\n    const log = createRequestLogger()\n    log.error(safeMessage(args))\n    log.emit()\n  },\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACEO,IAAM,uBAAuB;AAAA,EAClC,iBAAiB;AAAA,EACjB,iBAAiB;AAAA,EACjB,iBAAiB;AAAA,EACjB,kBAAkB;AAAA,EAClB,eAAe;AACjB;;;ACRA,qBAAe;AACf,uBAAiB;AASjB,SAAS,gBAAgB,YAAwC;AAC/D,MAAI,iBAAiB;AACrB,MAAI;AAEJ,QAAM,QAAQ,WAAW,MAAM,OAAO;AAEtC,aAAW,QAAQ,OAAO;AACxB,UAAM,cAAc,KAAK,KAAK;AAE9B,QAAI,CAAC,eAAe,YAAY,WAAW,GAAG,GAAG;AAC/C;AAAA,IACF;AAEA,UAAM,eAAe,YAAY,MAAM,gBAAgB;AACvD,QAAI,cAAc;AAChB,uBAAiB,aAAa,CAAC;AAC/B;AAAA,IACF;AAEA,UAAM,UAAU,YAAY,MAAM,yBAAyB;AAC3D,QAAI,SAAS;AACX,YAAM,CAAC,GAAG,KAAK,KAAK,IAAI;AAExB,UAAI,mBAAmB,UAAU,QAAQ,iBAAiB;AACxD,uBAAe;AACf;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAEA,SAAO;AACT;AASO,SAAS,0BAA0B,KAAqB;AAC7D,QAAM,QAAQ,IAAI,MAAM,oBAAoB;AAC5C,MAAI,CAAC,OAAO;AACV,UAAM,IAAI,MAAM,oBAAoB;AAAA,EACtC;AACA,SAAO,MAAM,CAAC;AAChB;AAEO,SAAS,gBAAgB,aAA8B;AAC5D,QAAM,aAAa,iBAAAA,QAAK,KAAK,QAAQ,IAAI,GAAG,kBAAkB;AAE9D,MAAI,aAAa;AACf,WAAO,0BAA0B,WAAW;AAAA,EAC9C;AAEA,MAAI,CAAC,eAAAC,QAAG,WAAW,UAAU,KAAK,CAAC,QAAQ,IAAI,kBAAkB;AAC/D,UAAM,IAAI;AAAA,MACR;AAAA,IACF;AAAA,EACF;AAGA,MAAI,QAAQ,IAAI,kBAAkB;AAChC,WAAO,0BAA0B,QAAQ,IAAI,gBAAgB;AAAA,EAC/D;AAEA,MAAI,CAAC,eAAAA,QAAG,WAAW,UAAU,GAAG;AAC9B,UAAM,IAAI;AAAA,MACR;AAAA,IACF;AAAA,EACF;AAEA,QAAM,aAAa,eAAAA,QAAG,aAAa,YAAY,MAAM;AACrD,QAAM,eAAe,gBAAgB,UAAU;AAE/C,MAAI,CAAC,cAAc;AACjB,UAAM,IAAI;AAAA,MACR;AAAA,IACF;AAAA,EACF;AAEA,SAAO,0BAA0B,YAAY;AAC/C;;;AC5FA,mBAAgD;AAShD,SAAS,kBAAkB;AACzB,QAAM,MAAM,QAAQ,IAAI;AACxB,MAAI,CAAC,IAAK,QAAO;AACjB,QAAM,SAAS,CAAC,SAAS,QAAQ,QAAQ,OAAO;AAChD,QAAM,MAAM,OAAO,QAAQ,GAA8B;AACzD,MAAI,QAAQ,GAAI,QAAO;AACvB,SAAO,OAAO,YAAY,OAAO,IAAI,CAAC,GAAG,MAAM,CAAC,GAAG,KAAK,MAAM,MAAM,CAAC,CAAC,CAAC;AACzE;AAEA,IAAI,cAAc;AAEX,SAAS,gBAAgB,QAA8B;AAC5D,MAAI,YAAa;AACjB,gBAAc;AACd,QAAM,QAAQ,gBAAgB;AAC9B,+BAAW;AAAA,IACT,KAAK,EAAE,SAAS,qBAAqB;AAAA,IACrC,SAAS,QAAQ,WAAW;AAAA,IAC5B,QAAQ,QAAQ;AAAA,IAChB,GAAI,SAAS,EAAE,UAAU,EAAE,MAAM,EAAE;AAAA,IACnC,GAAI,QAAQ,SAAS,EAAE,OAAO,OAAO,MAAM;AAAA,EAC7C,CAAC;AACH;AAGA,gBAAgB;AAMhB,SAAS,YAAY,MAAyB;AAC5C,SAAO,OAAO,KAAK,CAAC,MAAM,WAAW,KAAK,CAAC,IAAI;AACjD;AAGO,IAAM,SAAS;AAAA,EACpB,SAAS,MAAiB;AACxB,UAAM,UAAM,kCAAoB;AAChC,QAAI,IAAI,EAAE,OAAO,SAAS,QAAQ,sBAAsB,SAAS,YAAY,IAAI,EAAE,CAAC;AACpF,QAAI,KAAK;AAAA,EACX;AAAA,EACA,QAAQ,MAAiB;AACvB,UAAM,UAAM,kCAAoB;AAChC,QAAI,IAAI,EAAE,QAAQ,qBAAqB,CAAC;AACxC,QAAI,KAAK,YAAY,IAAI,CAAC;AAC1B,QAAI,KAAK;AAAA,EACX;AAAA,EACA,QAAQ,MAAiB;AACvB,UAAM,UAAM,kCAAoB;AAChC,QAAI,KAAK,YAAY,IAAI,CAAC;AAC1B,QAAI,KAAK;AAAA,EACX;AAAA,EACA,SAAS,MAAiB;AACxB,UAAM,UAAM,kCAAoB;AAChC,QAAI,MAAM,YAAY,IAAI,CAAC;AAC3B,QAAI,KAAK;AAAA,EACX;AACF;;;AHhEA,oBAAwC;AAiDjC,IAAM,cAAN,MAAkB;AAAA,EACf;AAAA,EACA;AAAA,EACA;AAAA,EAER,YAAY;AAAA,IACV,UAAU,EAAE,eAAe,CAAC,KAAK,EAAE;AAAA,IACnC;AAAA,EACF,IAAwB,CAAC,GAAG;AAC1B,UAAM,cAAc,gBAAgB;AAEpC,QAAI,CAAC,aAAa;AAChB,YAAM,IAAI;AAAA,QACR;AAAA,MACF;AAAA,IACF;AAEA,QAAI,UAAU;AACZ,WAAK,WAAW;AAAA,IAClB;AAEA,SAAK,cAAc;AACnB,SAAK,UAAU;AACf,WAAO,MAAM,gDAAgD;AAAA,EAC/D;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAiBA,MAAM,SACJ,UAC+C;AAC/C,UAAM,cAAc,KAAK;AAEzB,UAAM,cACJ,QAAQ,IAAI,mBACZ;AAEF,UAAM,iBAAiB,UAAM;AAAA,MAC3B,MACE,MAAM,GAAG,WAAW,kBAAkB;AAAA,QACpC,QAAQ;AAAA,QACR,SAAS;AAAA,UACP,gBAAgB;AAAA,QAClB;AAAA,QACA,MAAM,KAAK,UAAU;AAAA,UACnB;AAAA,UACA,WAAW;AAAA,QACb,CAAC;AAAA,MACH,CAAC;AAAA,MACH,CAAC,WAAW;AAAA,QACV,MAAM,qBAAqB;AAAA,QAC3B,SAAS,MAAM;AAAA,MACjB;AAAA,IACF;AAEA,QAAI,eAAe,SAAS;AAC1B,aAAO;AAAA,IACT;AAEA,UAAM,wBAAwB,UAAM;AAAA,MAClC,YAAY;AACV,cAAM,WAAY,MAAM,eAAe,KAAK,KAAK;AAEjD,YAAI,CAAC,SAAS,aAAa;AACzB,gBAAM,IAAI;AAAA,YACR;AAAA,UACF;AAAA,QACF;AAEA,aAAK,WAAW;AAChB,eAAO;AAAA,MACT;AAAA,MACA,CAAC,WAAW;AAAA,QACV,MAAM,qBAAqB;AAAA,QAC3B,SAAS,MAAM;AAAA,MACjB;AAAA,IACF;AAEA,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAWA,iBAA2E;AACzE,eAAO;AAAA,MACL,MAAM;AACJ,YAAI,CAAC,KAAK,UAAU,eAAe,CAAC,KAAK,UAAU,QAAQ;AACzD,gBAAM,IAAI;AAAA,YACR;AAAA,UACF;AAAA,QACF;AAEA,eAAO;AAAA,UACL,SAAS,KAAK;AAAA,UACd,UAAU,KAAK;AAAA,QACjB;AAAA,MACF;AAAA,MACA,CAAC,WAAW;AAAA,QACV,MAAM,qBAAqB;AAAA,QAC3B,SAAS,MAAM;AAAA,MACjB;AAAA,IACF;AAAA,EACF;AACF;","names":["path","fs"]}

package/dist/identity/index.d.cts

@@ -0,0 +1,3 @@
+export { h as Context, e as CtsRegions, f as CtsToken, G as GetLockContextResponse, I as IdentifyOptions, d as LockContext, i as LockContextOptions } from '../index-9-Ya3fDK.cjs';
+import '@byteslice/result';
+import '@cipherstash/protect-ffi';

package/dist/identity/index.d.ts

@@ -0,0 +1,3 @@
+export { h as Context, e as CtsRegions, f as CtsToken, G as GetLockContextResponse, I as IdentifyOptions, d as LockContext, i as LockContextOptions } from '../index-9-Ya3fDK.js';
+import '@byteslice/result';
+import '@cipherstash/protect-ffi';

package/dist/identity/index.js

@@ -0,0 +1,117 @@
+import {
+  EncryptionErrorTypes,
+  loadWorkSpaceId,
+  logger
+} from "../chunk-5DCT6YU2.js";
+
+// src/identity/index.ts
+import { withResult } from "@byteslice/result";
+var LockContext = class {
+  ctsToken;
+  workspaceId;
+  context;
+  constructor({
+    context = { identityClaim: ["sub"] },
+    ctsToken
+  } = {}) {
+    const workspaceId = loadWorkSpaceId();
+    if (!workspaceId) {
+      throw new Error(
+        "You have not defined a workspace ID in your config file, or the CS_WORKSPACE_CRN environment variable."
+      );
+    }
+    if (ctsToken) {
+      this.ctsToken = ctsToken;
+    }
+    this.workspaceId = workspaceId;
+    this.context = context;
+    logger.debug("Successfully initialized the EQL lock context.");
+  }
+  /**
+   * Exchange a user's JWT for a CTS token and bind it to this lock context.
+   *
+   * @param jwtToken - A valid OIDC / JWT token for the current user.
+   * @returns A `Result` containing this `LockContext` (now authenticated) or an error.
+   *
+   * @example
+   * ```typescript
+   * const lc = new LockContext()
+   * const result = await lc.identify(userJwt)
+   * if (result.failure) {
+   *   console.error("Auth failed:", result.failure.message)
+   * }
+   * ```
+   */
+  async identify(jwtToken) {
+    const workspaceId = this.workspaceId;
+    const ctsEndpoint = process.env.CS_CTS_ENDPOINT || "https://ap-southeast-2.aws.auth.viturhosted.net";
+    const ctsFetchResult = await withResult(
+      () => fetch(`${ctsEndpoint}/api/authorize`, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json"
+        },
+        body: JSON.stringify({
+          workspaceId,
+          oidcToken: jwtToken
+        })
+      }),
+      (error) => ({
+        type: EncryptionErrorTypes.CtsTokenError,
+        message: error.message
+      })
+    );
+    if (ctsFetchResult.failure) {
+      return ctsFetchResult;
+    }
+    const identifiedLockContext = await withResult(
+      async () => {
+        const ctsToken = await ctsFetchResult.data.json();
+        if (!ctsToken.accessToken) {
+          throw new Error(
+            "The response from the CipherStash API did not contain an access token. Please contact support."
+          );
+        }
+        this.ctsToken = ctsToken;
+        return this;
+      },
+      (error) => ({
+        type: EncryptionErrorTypes.CtsTokenError,
+        message: error.message
+      })
+    );
+    return identifiedLockContext;
+  }
+  /**
+   * Retrieve the current CTS token and context for use with encryption operations.
+   *
+   * Must be called after {@link identify}. Returns the token/context pair that
+   * `.withLockContext()` expects.
+   *
+   * @returns A `Result` containing the CTS token and identity context, or an error
+   *   if {@link identify} has not been called.
+   */
+  getLockContext() {
+    return withResult(
+      () => {
+        if (!this.ctsToken?.accessToken || !this.ctsToken?.expiry) {
+          throw new Error(
+            "The CTS token is not set. Please call identify() with a users JWT token, or pass an existing CTS token to the LockContext constructor before calling getLockContext()."
+          );
+        }
+        return {
+          context: this.context,
+          ctsToken: this.ctsToken
+        };
+      },
+      (error) => ({
+        type: EncryptionErrorTypes.CtsTokenError,
+        message: error.message
+      })
+    );
+  }
+};
+export {
+  LockContext
+};
+//# sourceMappingURL=index.js.map

package/dist/identity/index.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/identity/index.ts"],"sourcesContent":["import { type EncryptionError, EncryptionErrorTypes } from '@/errors'\nimport { loadWorkSpaceId } from '@/utils/config'\nimport { logger } from '@/utils/logger'\nimport { type Result, withResult } from '@byteslice/result'\n\nexport type CtsRegions = 'ap-southeast-2'\n\nexport type IdentifyOptions = {\n  fetchFromCts?: boolean\n}\n\nexport type CtsToken = {\n  accessToken: string\n  expiry: number\n}\n\nexport type Context = {\n  identityClaim: string[]\n}\n\nexport type LockContextOptions = {\n  context?: Context\n  ctsToken?: CtsToken\n}\n\nexport type GetLockContextResponse = {\n  ctsToken: CtsToken\n  context: Context\n}\n\n/**\n * Manages CipherStash lock contexts for row-level access control.\n *\n * A `LockContext` ties encryption/decryption operations to an authenticated\n * user identity via CTS (CipherStash Token Service). Call {@link identify}\n * with a user's JWT to obtain a CTS token, then pass the `LockContext`\n * to `.withLockContext()` on any encrypt/decrypt operation.\n *\n * @example\n * ```typescript\n * import { LockContext } from \"@cipherstash/stack/identity\"\n *\n * const lc = new LockContext()\n * const identified = await lc.identify(userJwt)\n *\n * if (identified.failure) throw new Error(identified.failure.message)\n *\n * const result = await client\n *   .encrypt(value, { column: users.email, table: users })\n *   .withLockContext(identified.data)\n * ```\n */\nexport class LockContext {\n  private ctsToken: CtsToken | undefined\n  private workspaceId: string\n  private context: Context\n\n  constructor({\n    context = { identityClaim: ['sub'] },\n    ctsToken,\n  }: LockContextOptions = {}) {\n    const workspaceId = loadWorkSpaceId()\n\n    if (!workspaceId) {\n      throw new Error(\n        'You have not defined a workspace ID in your config file, or the CS_WORKSPACE_CRN environment variable.',\n      )\n    }\n\n    if (ctsToken) {\n      this.ctsToken = ctsToken\n    }\n\n    this.workspaceId = workspaceId\n    this.context = context\n    logger.debug('Successfully initialized the EQL lock context.')\n  }\n\n  /**\n   * Exchange a user's JWT for a CTS token and bind it to this lock context.\n   *\n   * @param jwtToken - A valid OIDC / JWT token for the current user.\n   * @returns A `Result` containing this `LockContext` (now authenticated) or an error.\n   *\n   * @example\n   * ```typescript\n   * const lc = new LockContext()\n   * const result = await lc.identify(userJwt)\n   * if (result.failure) {\n   *   console.error(\"Auth failed:\", result.failure.message)\n   * }\n   * ```\n   */\n  async identify(\n    jwtToken: string,\n  ): Promise<Result<LockContext, EncryptionError>> {\n    const workspaceId = this.workspaceId\n\n    const ctsEndpoint =\n      process.env.CS_CTS_ENDPOINT ||\n      'https://ap-southeast-2.aws.auth.viturhosted.net'\n\n    const ctsFetchResult = await withResult(\n      () =>\n        fetch(`${ctsEndpoint}/api/authorize`, {\n          method: 'POST',\n          headers: {\n            'Content-Type': 'application/json',\n          },\n          body: JSON.stringify({\n            workspaceId,\n            oidcToken: jwtToken,\n          }),\n        }),\n      (error) => ({\n        type: EncryptionErrorTypes.CtsTokenError,\n        message: error.message,\n      }),\n    )\n\n    if (ctsFetchResult.failure) {\n      return ctsFetchResult\n    }\n\n    const identifiedLockContext = await withResult(\n      async () => {\n        const ctsToken = (await ctsFetchResult.data.json()) as CtsToken\n\n        if (!ctsToken.accessToken) {\n          throw new Error(\n            'The response from the CipherStash API did not contain an access token. Please contact support.',\n          )\n        }\n\n        this.ctsToken = ctsToken\n        return this\n      },\n      (error) => ({\n        type: EncryptionErrorTypes.CtsTokenError,\n        message: error.message,\n      }),\n    )\n\n    return identifiedLockContext\n  }\n\n  /**\n   * Retrieve the current CTS token and context for use with encryption operations.\n   *\n   * Must be called after {@link identify}. Returns the token/context pair that\n   * `.withLockContext()` expects.\n   *\n   * @returns A `Result` containing the CTS token and identity context, or an error\n   *   if {@link identify} has not been called.\n   */\n  getLockContext(): Promise<Result<GetLockContextResponse, EncryptionError>> {\n    return withResult(\n      () => {\n        if (!this.ctsToken?.accessToken || !this.ctsToken?.expiry) {\n          throw new Error(\n            'The CTS token is not set. Please call identify() with a users JWT token, or pass an existing CTS token to the LockContext constructor before calling getLockContext().',\n          )\n        }\n\n        return {\n          context: this.context,\n          ctsToken: this.ctsToken,\n        }\n      },\n      (error) => ({\n        type: EncryptionErrorTypes.CtsTokenError,\n        message: error.message,\n      }),\n    )\n  }\n}\n"],"mappings":";;;;;;;AAGA,SAAsB,kBAAkB;AAiDjC,IAAM,cAAN,MAAkB;AAAA,EACf;AAAA,EACA;AAAA,EACA;AAAA,EAER,YAAY;AAAA,IACV,UAAU,EAAE,eAAe,CAAC,KAAK,EAAE;AAAA,IACnC;AAAA,EACF,IAAwB,CAAC,GAAG;AAC1B,UAAM,cAAc,gBAAgB;AAEpC,QAAI,CAAC,aAAa;AAChB,YAAM,IAAI;AAAA,QACR;AAAA,MACF;AAAA,IACF;AAEA,QAAI,UAAU;AACZ,WAAK,WAAW;AAAA,IAClB;AAEA,SAAK,cAAc;AACnB,SAAK,UAAU;AACf,WAAO,MAAM,gDAAgD;AAAA,EAC/D;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAiBA,MAAM,SACJ,UAC+C;AAC/C,UAAM,cAAc,KAAK;AAEzB,UAAM,cACJ,QAAQ,IAAI,mBACZ;AAEF,UAAM,iBAAiB,MAAM;AAAA,MAC3B,MACE,MAAM,GAAG,WAAW,kBAAkB;AAAA,QACpC,QAAQ;AAAA,QACR,SAAS;AAAA,UACP,gBAAgB;AAAA,QAClB;AAAA,QACA,MAAM,KAAK,UAAU;AAAA,UACnB;AAAA,UACA,WAAW;AAAA,QACb,CAAC;AAAA,MACH,CAAC;AAAA,MACH,CAAC,WAAW;AAAA,QACV,MAAM,qBAAqB;AAAA,QAC3B,SAAS,MAAM;AAAA,MACjB;AAAA,IACF;AAEA,QAAI,eAAe,SAAS;AAC1B,aAAO;AAAA,IACT;AAEA,UAAM,wBAAwB,MAAM;AAAA,MAClC,YAAY;AACV,cAAM,WAAY,MAAM,eAAe,KAAK,KAAK;AAEjD,YAAI,CAAC,SAAS,aAAa;AACzB,gBAAM,IAAI;AAAA,YACR;AAAA,UACF;AAAA,QACF;AAEA,aAAK,WAAW;AAChB,eAAO;AAAA,MACT;AAAA,MACA,CAAC,WAAW;AAAA,QACV,MAAM,qBAAqB;AAAA,QAC3B,SAAS,MAAM;AAAA,MACjB;AAAA,IACF;AAEA,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAWA,iBAA2E;AACzE,WAAO;AAAA,MACL,MAAM;AACJ,YAAI,CAAC,KAAK,UAAU,eAAe,CAAC,KAAK,UAAU,QAAQ;AACzD,gBAAM,IAAI;AAAA,YACR;AAAA,UACF;AAAA,QACF;AAEA,eAAO;AAAA,UACL,SAAS,KAAK;AAAA,UACd,UAAU,KAAK;AAAA,QACjB;AAAA,MACF;AAAA,MACA,CAAC,WAAW;AAAA,QACV,MAAM,qBAAqB;AAAA,QAC3B,SAAS,MAAM;AAAA,MACjB;AAAA,IACF;AAAA,EACF;AACF;","names":[]}