@cipherstash/stack 0.1.0

package/dist/index.cjs

@@ -0,0 +1,2915 @@
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/index.ts
+var index_exports = {};
+__export(index_exports, {
+  Encryption: () => Encryption,
+  EncryptionErrorTypes: () => EncryptionErrorTypes,
+  encryptedColumn: () => encryptedColumn,
+  encryptedTable: () => encryptedTable,
+  encryptedValue: () => encryptedValue,
+  getErrorMessage: () => getErrorMessage
+});
+module.exports = __toCommonJS(index_exports);
+
+// src/errors/index.ts
+var EncryptionErrorTypes = {
+  ClientInitError: "ClientInitError",
+  EncryptionError: "EncryptionError",
+  DecryptionError: "DecryptionError",
+  LockContextError: "LockContextError",
+  CtsTokenError: "CtsTokenError"
+};
+function getErrorMessage(error) {
+  if (error instanceof Error) return error.message;
+  if (typeof error === "string") return error;
+  return String(error);
+}
+
+// src/schema/index.ts
+var import_zod = require("zod");
+var castAsEnum = import_zod.z.enum(["bigint", "boolean", "date", "number", "string", "json"]).default("string");
+var tokenFilterSchema = import_zod.z.object({
+  kind: import_zod.z.literal("downcase")
+});
+var tokenizerSchema = import_zod.z.union([
+  import_zod.z.object({
+    kind: import_zod.z.literal("standard")
+  }),
+  import_zod.z.object({
+    kind: import_zod.z.literal("ngram"),
+    token_length: import_zod.z.number()
+  })
+]).default({ kind: "ngram", token_length: 3 }).optional();
+var oreIndexOptsSchema = import_zod.z.object({});
+var uniqueIndexOptsSchema = import_zod.z.object({
+  token_filters: import_zod.z.array(tokenFilterSchema).default([]).optional()
+});
+var matchIndexOptsSchema = import_zod.z.object({
+  tokenizer: tokenizerSchema,
+  token_filters: import_zod.z.array(tokenFilterSchema).default([]).optional(),
+  k: import_zod.z.number().default(6).optional(),
+  m: import_zod.z.number().default(2048).optional(),
+  include_original: import_zod.z.boolean().default(false).optional()
+});
+var steVecIndexOptsSchema = import_zod.z.object({
+  prefix: import_zod.z.string()
+});
+var indexesSchema = import_zod.z.object({
+  ore: oreIndexOptsSchema.optional(),
+  unique: uniqueIndexOptsSchema.optional(),
+  match: matchIndexOptsSchema.optional(),
+  ste_vec: steVecIndexOptsSchema.optional()
+}).default({});
+var columnSchema = import_zod.z.object({
+  cast_as: castAsEnum,
+  indexes: indexesSchema
+}).default({});
+var tableSchema = import_zod.z.record(columnSchema).default({});
+var tablesSchema = import_zod.z.record(tableSchema).default({});
+var encryptConfigSchema = import_zod.z.object({
+  v: import_zod.z.number(),
+  tables: tablesSchema
+});
+var ProtectValue = class {
+  valueName;
+  castAsValue;
+  constructor(valueName) {
+    this.valueName = valueName;
+    this.castAsValue = "string";
+  }
+  /**
+   * Set or override the plaintext data type for this value.
+   *
+   * By default all values are treated as `'string'`. Use this method to specify
+   * a different type so the encryption layer knows how to encode the plaintext
+   * before encrypting.
+   *
+   * @param castAs - The plaintext data type: `'string'`, `'number'`, `'boolean'`, `'date'`, `'bigint'`, or `'json'`.
+   * @returns This `ProtectValue` instance for method chaining.
+   *
+   * @example
+   * ```typescript
+   * import { encryptedValue } from "@cipherstash/stack/schema"
+   *
+   * const age = encryptedValue("age").dataType("number")
+   * ```
+   */
+  dataType(castAs) {
+    this.castAsValue = castAs;
+    return this;
+  }
+  build() {
+    return {
+      cast_as: this.castAsValue,
+      indexes: {}
+    };
+  }
+  getName() {
+    return this.valueName;
+  }
+};
+var ProtectColumn = class {
+  columnName;
+  castAsValue;
+  indexesValue = {};
+  constructor(columnName) {
+    this.columnName = columnName;
+    this.castAsValue = "string";
+  }
+  /**
+   * Set or override the plaintext data type for this column.
+   *
+   * By default all columns are treated as `'string'`. Use this method to specify
+   * a different type so the encryption layer knows how to encode the plaintext
+   * before encrypting.
+   *
+   * @param castAs - The plaintext data type: `'string'`, `'number'`, `'boolean'`, `'date'`, `'bigint'`, or `'json'`.
+   * @returns This `ProtectColumn` instance for method chaining.
+   *
+   * @example
+   * ```typescript
+   * import { encryptedColumn } from "@cipherstash/stack/schema"
+   *
+   * const dateOfBirth = encryptedColumn("date_of_birth").dataType("date")
+   * ```
+   */
+  dataType(castAs) {
+    this.castAsValue = castAs;
+    return this;
+  }
+  /**
+   * Enable Order-Revealing Encryption (ORE) indexing on this column.
+   *
+   * ORE allows sorting, comparison, and range queries on encrypted data.
+   * Use with `encryptQuery` and `queryType: 'orderAndRange'`.
+   *
+   * @returns This `ProtectColumn` instance for method chaining.
+   *
+   * @example
+   * ```typescript
+   * import { encryptedTable, encryptedColumn } from "@cipherstash/stack/schema"
+   *
+   * const users = encryptedTable("users", {
+   *   email: encryptedColumn("email").orderAndRange(),
+   * })
+   * ```
+   */
+  orderAndRange() {
+    this.indexesValue.ore = {};
+    return this;
+  }
+  /**
+   * Enable an exact-match (unique) index on this column.
+   *
+   * Allows equality queries on encrypted data. Use with `encryptQuery`
+   * and `queryType: 'equality'`.
+   *
+   * @param tokenFilters - Optional array of token filters (e.g. `[{ kind: 'downcase' }]`).
+   *   When omitted, no token filters are applied.
+   * @returns This `ProtectColumn` instance for method chaining.
+   *
+   * @example
+   * ```typescript
+   * import { encryptedTable, encryptedColumn } from "@cipherstash/stack/schema"
+   *
+   * const users = encryptedTable("users", {
+   *   email: encryptedColumn("email").equality(),
+   * })
+   * ```
+   */
+  equality(tokenFilters) {
+    this.indexesValue.unique = {
+      token_filters: tokenFilters ?? []
+    };
+    return this;
+  }
+  /**
+   * Enable a full-text / fuzzy search (match) index on this column.
+   *
+   * Uses n-gram tokenization by default for substring and fuzzy matching.
+   * Use with `encryptQuery` and `queryType: 'freeTextSearch'`.
+   *
+   * @param opts - Optional match index configuration. Defaults to 3-character ngram
+   *   tokenization with a downcase filter, `k=6`, `m=2048`, and `include_original=true`.
+   * @returns This `ProtectColumn` instance for method chaining.
+   *
+   * @example
+   * ```typescript
+   * import { encryptedTable, encryptedColumn } from "@cipherstash/stack/schema"
+   *
+   * const users = encryptedTable("users", {
+   *   email: encryptedColumn("email").freeTextSearch(),
+   * })
+   *
+   * // With custom options
+   * const posts = encryptedTable("posts", {
+   *   body: encryptedColumn("body").freeTextSearch({
+   *     tokenizer: { kind: "ngram", token_length: 4 },
+   *     k: 8,
+   *     m: 4096,
+   *   }),
+   * })
+   * ```
+   */
+  freeTextSearch(opts) {
+    this.indexesValue.match = {
+      tokenizer: opts?.tokenizer ?? { kind: "ngram", token_length: 3 },
+      token_filters: opts?.token_filters ?? [
+        {
+          kind: "downcase"
+        }
+      ],
+      k: opts?.k ?? 6,
+      m: opts?.m ?? 2048,
+      include_original: opts?.include_original ?? true
+    };
+    return this;
+  }
+  /**
+   * Configure this column for searchable encrypted JSON (STE-Vec).
+   *
+   * Enables encrypted JSONPath selector queries (e.g. `'$.user.email'`) and
+   * containment queries (e.g. `{ role: 'admin' }`). Automatically sets the
+   * data type to `'json'`.
+   *
+   * When used with `encryptQuery`, the query operation is auto-inferred from
+   * the plaintext type: strings become selector queries, objects/arrays become
+   * containment queries.
+   *
+   * @returns This `ProtectColumn` instance for method chaining.
+   *
+   * @example
+   * ```typescript
+   * import { encryptedTable, encryptedColumn } from "@cipherstash/stack/schema"
+   *
+   * const documents = encryptedTable("documents", {
+   *   metadata: encryptedColumn("metadata").searchableJson(),
+   * })
+   * ```
+   */
+  searchableJson() {
+    this.castAsValue = "json";
+    this.indexesValue.ste_vec = { prefix: "enabled" };
+    return this;
+  }
+  build() {
+    return {
+      cast_as: this.castAsValue,
+      indexes: this.indexesValue
+    };
+  }
+  getName() {
+    return this.columnName;
+  }
+};
+var ProtectTable = class {
+  constructor(tableName, columnBuilders) {
+    this.tableName = tableName;
+    this.columnBuilders = columnBuilders;
+  }
+  /**
+   * Compile this table schema into a `TableDefinition` used internally by the encryption client.
+   *
+   * Iterates over all column builders, calls `.build()` on each, and assembles
+   * the final `{ tableName, columns }` structure. For `searchableJson()` columns,
+   * the STE-Vec prefix is automatically set to `"<tableName>/<columnName>"`.
+   *
+   * @returns A `TableDefinition` containing the table name and built column configs.
+   *
+   * @example
+   * ```typescript
+   * const users = encryptedTable("users", {
+   *   email: encryptedColumn("email").equality(),
+   * })
+   *
+   * const definition = users.build()
+   * // { tableName: "users", columns: { email: { cast_as: "string", indexes: { unique: ... } } } }
+   * ```
+   */
+  build() {
+    const builtColumns = {};
+    const processColumn = (builder, colName) => {
+      if (builder instanceof ProtectColumn) {
+        const builtColumn = builder.build();
+        if (builtColumn.cast_as === "json" && builtColumn.indexes.ste_vec?.prefix === "enabled") {
+          builtColumns[colName] = {
+            ...builtColumn,
+            indexes: {
+              ...builtColumn.indexes,
+              ste_vec: {
+                prefix: `${this.tableName}/${colName}`
+              }
+            }
+          };
+        } else {
+          builtColumns[colName] = builtColumn;
+        }
+      } else {
+        for (const [key, value] of Object.entries(builder)) {
+          if (value instanceof ProtectValue) {
+            builtColumns[value.getName()] = value.build();
+          } else {
+            processColumn(value, key);
+          }
+        }
+      }
+    };
+    for (const [colName, builder] of Object.entries(this.columnBuilders)) {
+      processColumn(builder, colName);
+    }
+    return {
+      tableName: this.tableName,
+      columns: builtColumns
+    };
+  }
+};
+function encryptedTable(tableName, columns) {
+  const tableBuilder = new ProtectTable(tableName, columns);
+  for (const [colName, colBuilder] of Object.entries(columns)) {
+    ;
+    tableBuilder[colName] = colBuilder;
+  }
+  return tableBuilder;
+}
+function encryptedColumn(columnName) {
+  return new ProtectColumn(columnName);
+}
+function encryptedValue(valueName) {
+  return new ProtectValue(valueName);
+}
+function buildEncryptConfig(...protectTables) {
+  const config = {
+    v: 2,
+    tables: {}
+  };
+  for (const tb of protectTables) {
+    const tableDef = tb.build();
+    config.tables[tableDef.tableName] = tableDef.columns;
+  }
+  return config;
+}
+
+// src/utils/config/index.ts
+var import_node_fs = __toESM(require("fs"), 1);
+var import_node_path = __toESM(require("path"), 1);
+function getWorkspaceCrn(tomlString) {
+  let currentSection = "";
+  let workspaceCrn;
+  const lines = tomlString.split(/\r?\n/);
+  for (const line of lines) {
+    const trimmedLine = line.trim();
+    if (!trimmedLine || trimmedLine.startsWith("#")) {
+      continue;
+    }
+    const sectionMatch = trimmedLine.match(/^\[([^\]]+)\]$/);
+    if (sectionMatch) {
+      currentSection = sectionMatch[1];
+      continue;
+    }
+    const kvMatch = trimmedLine.match(/^(\w+)\s*=\s*"([^"]+)"$/);
+    if (kvMatch) {
+      const [_, key, value] = kvMatch;
+      if (currentSection === "auth" && key === "workspace_crn") {
+        workspaceCrn = value;
+        break;
+      }
+    }
+  }
+  return workspaceCrn;
+}
+function extractWorkspaceIdFromCrn(crn) {
+  const match = crn.match(/crn:[^:]+:([^:]+)$/);
+  if (!match) {
+    throw new Error("Invalid CRN format");
+  }
+  return match[1];
+}
+function loadWorkSpaceId(suppliedCrn) {
+  const configPath = import_node_path.default.join(process.cwd(), "cipherstash.toml");
+  if (suppliedCrn) {
+    return extractWorkspaceIdFromCrn(suppliedCrn);
+  }
+  if (!import_node_fs.default.existsSync(configPath) && !process.env.CS_WORKSPACE_CRN) {
+    throw new Error(
+      "You have not defined a workspace CRN in your config file, or the CS_WORKSPACE_CRN environment variable."
+    );
+  }
+  if (process.env.CS_WORKSPACE_CRN) {
+    return extractWorkspaceIdFromCrn(process.env.CS_WORKSPACE_CRN);
+  }
+  if (!import_node_fs.default.existsSync(configPath)) {
+    throw new Error(
+      "You have not defined a workspace CRN in your config file, or the CS_WORKSPACE_CRN environment variable."
+    );
+  }
+  const tomlString = import_node_fs.default.readFileSync(configPath, "utf8");
+  const workspaceCrn = getWorkspaceCrn(tomlString);
+  if (!workspaceCrn) {
+    throw new Error(
+      "You have not defined a workspace CRN in your config file, or the CS_WORKSPACE_CRN environment variable."
+    );
+  }
+  return extractWorkspaceIdFromCrn(workspaceCrn);
+}
+
+// src/utils/logger/index.ts
+var import_evlog = require("evlog");
+function samplingFromEnv() {
+  const env = process.env.STASH_LOG_LEVEL;
+  if (!env) return void 0;
+  const levels = ["debug", "info", "warn", "error"];
+  const idx = levels.indexOf(env);
+  if (idx === -1) return void 0;
+  return Object.fromEntries(levels.map((l, i) => [l, i >= idx ? 100 : 0]));
+}
+var initialized = false;
+function initStackLogger(config) {
+  if (initialized) return;
+  initialized = true;
+  const rates = samplingFromEnv();
+  (0, import_evlog.initLogger)({
+    env: { service: "@cipherstash/stack" },
+    enabled: config?.enabled ?? true,
+    pretty: config?.pretty,
+    ...rates && { sampling: { rates } },
+    ...config?.drain && { drain: config.drain }
+  });
+}
+initStackLogger();
+function safeMessage(args) {
+  return typeof args[0] === "string" ? args[0] : "";
+}
+var logger = {
+  debug(...args) {
+    const log = (0, import_evlog.createRequestLogger)();
+    log.set({ level: "debug", source: "@cipherstash/stack", message: safeMessage(args) });
+    log.emit();
+  },
+  info(...args) {
+    const log = (0, import_evlog.createRequestLogger)();
+    log.set({ source: "@cipherstash/stack" });
+    log.info(safeMessage(args));
+    log.emit();
+  },
+  warn(...args) {
+    const log = (0, import_evlog.createRequestLogger)();
+    log.warn(safeMessage(args));
+    log.emit();
+  },
+  error(...args) {
+    const log = (0, import_evlog.createRequestLogger)();
+    log.error(safeMessage(args));
+    log.emit();
+  }
+};
+
+// src/encryption/ffi/index.ts
+var import_result11 = require("@byteslice/result");
+var import_protect_ffi9 = require("@cipherstash/protect-ffi");
+
+// src/encryption/helpers/index.ts
+function encryptedToCompositeLiteral(obj) {
+  if (obj === null) {
+    throw new Error("encryptedToCompositeLiteral: obj cannot be null");
+  }
+  return `(${JSON.stringify(JSON.stringify(obj))})`;
+}
+function encryptedToEscapedCompositeLiteral(obj) {
+  if (obj === null) {
+    throw new Error("encryptedToEscapedCompositeLiteral: obj cannot be null");
+  }
+  return JSON.stringify(encryptedToCompositeLiteral(obj));
+}
+function formatEncryptedResult(encrypted, returnType) {
+  if (returnType === "composite-literal") {
+    return encryptedToCompositeLiteral(encrypted);
+  }
+  if (returnType === "escaped-composite-literal") {
+    return encryptedToEscapedCompositeLiteral(encrypted);
+  }
+  return encrypted;
+}
+function toFfiKeysetIdentifier(keyset) {
+  if (!keyset) return void 0;
+  if ("name" in keyset) {
+    return { Name: keyset.name };
+  }
+  return { Uuid: keyset.id };
+}
+function isEncryptedPayload(value) {
+  if (value === null) return false;
+  if (typeof value !== "object") return false;
+  const obj = value;
+  if (!("v" in obj) || typeof obj.v !== "number") return false;
+  if (!("i" in obj) || typeof obj.i !== "object") return false;
+  if (!("c" in obj) && !("sv" in obj)) return false;
+  return true;
+}
+
+// src/encryption/ffi/helpers/type-guards.ts
+function isScalarQueryTermArray(value) {
+  return Array.isArray(value) && value.length > 0 && typeof value[0] === "object" && value[0] !== null && "column" in value[0] && "table" in value[0];
+}
+
+// src/encryption/ffi/helpers/error-code.ts
+var import_protect_ffi = require("@cipherstash/protect-ffi");
+function getErrorCode(error) {
+  return error instanceof import_protect_ffi.ProtectError ? error.code : void 0;
+}
+
+// src/encryption/ffi/operations/batch-encrypt-query.ts
+var import_result = require("@byteslice/result");
+var import_protect_ffi2 = require("@cipherstash/protect-ffi");
+
+// src/types.ts
+var queryTypeToFfi = {
+  orderAndRange: "ore",
+  freeTextSearch: "match",
+  equality: "unique",
+  steVecSelector: "ste_vec",
+  steVecTerm: "ste_vec",
+  searchableJson: "ste_vec"
+};
+var queryTypeToQueryOp = {
+  steVecSelector: "ste_vec_selector",
+  steVecTerm: "ste_vec_term"
+};
+
+// src/encryption/ffi/helpers/infer-index-type.ts
+function inferIndexType(column) {
+  const config = column.build();
+  const indexes = config.indexes;
+  if (!indexes || Object.keys(indexes).length === 0) {
+    throw new Error(`Column "${column.getName()}" has no indexes configured`);
+  }
+  if (indexes.unique) return "unique";
+  if (indexes.match) return "match";
+  if (indexes.ore) return "ore";
+  if (indexes.ste_vec) return "ste_vec";
+  throw new Error(
+    `Column "${column.getName()}" has no suitable index for queries`
+  );
+}
+function inferQueryOpFromPlaintext(plaintext) {
+  if (typeof plaintext === "string") {
+    return "ste_vec_selector";
+  }
+  if (typeof plaintext === "object" || typeof plaintext === "number" || typeof plaintext === "boolean" || typeof plaintext === "bigint") {
+    return "ste_vec_term";
+  }
+  return "ste_vec_term";
+}
+function validateIndexType(column, indexType) {
+  const config = column.build();
+  const indexes = config.indexes ?? {};
+  const indexMap = {
+    unique: !!indexes.unique,
+    match: !!indexes.match,
+    ore: !!indexes.ore,
+    ste_vec: !!indexes.ste_vec
+  };
+  if (!indexMap[indexType]) {
+    throw new Error(
+      `Index type "${indexType}" is not configured on column "${column.getName()}"`
+    );
+  }
+}
+function resolveIndexType(column, queryType, plaintext) {
+  const indexType = queryType ? queryTypeToFfi[queryType] : inferIndexType(column);
+  if (queryType) {
+    validateIndexType(column, indexType);
+    if (queryType === "searchableJson") {
+      if (plaintext === void 0 || plaintext === null) {
+        return { indexType };
+      }
+      return { indexType, queryOp: inferQueryOpFromPlaintext(plaintext) };
+    }
+    return { indexType, queryOp: queryTypeToQueryOp[queryType] };
+  }
+  if (indexType === "ste_vec") {
+    if (plaintext === void 0 || plaintext === null) {
+      return { indexType };
+    }
+    return { indexType, queryOp: inferQueryOpFromPlaintext(plaintext) };
+  }
+  return { indexType };
+}
+
+// src/encryption/ffi/helpers/validation.ts
+function validateNumericValue(value) {
+  if (typeof value === "number" && Number.isNaN(value)) {
+    return {
+      failure: {
+        type: EncryptionErrorTypes.EncryptionError,
+        message: "[encryption]: Cannot encrypt NaN value"
+      }
+    };
+  }
+  if (typeof value === "number" && !Number.isFinite(value)) {
+    return {
+      failure: {
+        type: EncryptionErrorTypes.EncryptionError,
+        message: "[encryption]: Cannot encrypt Infinity value"
+      }
+    };
+  }
+  return void 0;
+}
+function assertValidNumericValue(value) {
+  if (typeof value === "number" && Number.isNaN(value)) {
+    throw new Error("[encryption]: Cannot encrypt NaN value");
+  }
+  if (typeof value === "number" && !Number.isFinite(value)) {
+    throw new Error("[encryption]: Cannot encrypt Infinity value");
+  }
+}
+function assertValueIndexCompatibility(value, indexType, columnName) {
+  if (typeof value === "number" && indexType === "match") {
+    throw new Error(
+      `[encryption]: Cannot use 'match' index with numeric value on column "${columnName}". The 'freeTextSearch' index only supports string values. Configure the column with 'orderAndRange()' or 'equality()' for numeric queries.`
+    );
+  }
+}
+
+// src/encryption/ffi/operations/base-operation.ts
+var EncryptionOperation = class {
+  auditMetadata;
+  /**
+   * Attach audit metadata to this operation. Can be chained.
+   * @param config Configuration for ZeroKMS audit logging
+   * @param config.metadata Arbitrary JSON object for appending metadata to the audit log
+   */
+  audit(config) {
+    this.auditMetadata = config.metadata;
+    return this;
+  }
+  /**
+   * Get the audit data for this operation.
+   */
+  getAuditData() {
+    return {
+      metadata: this.auditMetadata
+    };
+  }
+  /**
+   * Make the operation thenable
+   */
+  then(onfulfilled, onrejected) {
+    return this.execute().then(onfulfilled, onrejected);
+  }
+};
+
+// src/encryption/ffi/operations/batch-encrypt-query.ts
+function filterNullTerms(terms) {
+  const nullIndices = /* @__PURE__ */ new Set();
+  const nonNullTerms = [];
+  terms.forEach((term, index) => {
+    if (term.value === null || term.value === void 0) {
+      nullIndices.add(index);
+    } else {
+      nonNullTerms.push({ term, originalIndex: index });
+    }
+  });
+  return { nullIndices, nonNullTerms };
+}
+function buildQueryPayload(term, lockContext) {
+  assertValidNumericValue(term.value);
+  const { indexType, queryOp } = resolveIndexType(
+    term.column,
+    term.queryType,
+    term.value
+  );
+  assertValueIndexCompatibility(term.value, indexType, term.column.getName());
+  const payload = {
+    plaintext: term.value,
+    column: term.column.getName(),
+    table: term.table.tableName,
+    indexType,
+    queryOp
+  };
+  if (lockContext != null) {
+    payload.lockContext = lockContext;
+  }
+  return payload;
+}
+function assembleResults(totalLength, encryptedValues, nonNullTerms) {
+  const results = new Array(totalLength).fill(null);
+  nonNullTerms.forEach(({ term, originalIndex }, i) => {
+    const encrypted = encryptedValues[i];
+    results[originalIndex] = formatEncryptedResult(encrypted, term.returnType);
+  });
+  return results;
+}
+var BatchEncryptQueryOperation = class extends EncryptionOperation {
+  constructor(client, terms) {
+    super();
+    this.client = client;
+    this.terms = terms;
+  }
+  withLockContext(lockContext) {
+    return new BatchEncryptQueryOperationWithLockContext(
+      this.client,
+      this.terms,
+      lockContext,
+      this.auditMetadata
+    );
+  }
+  async execute() {
+    const log = (0, import_evlog.createRequestLogger)();
+    log.set({
+      op: "batchEncryptQuery",
+      count: this.terms.length,
+      lockContext: false
+    });
+    if (this.terms.length === 0) {
+      log.emit();
+      return { data: [] };
+    }
+    const { nullIndices, nonNullTerms } = filterNullTerms(this.terms);
+    if (nonNullTerms.length === 0) {
+      log.emit();
+      return { data: this.terms.map(() => null) };
+    }
+    const result = await (0, import_result.withResult)(
+      async () => {
+        if (!this.client) throw noClientError();
+        const { metadata } = this.getAuditData();
+        const queries = nonNullTerms.map(
+          ({ term }) => buildQueryPayload(term)
+        );
+        const encrypted = await (0, import_protect_ffi2.encryptQueryBulk)(this.client, {
+          queries,
+          unverifiedContext: metadata
+        });
+        return assembleResults(this.terms.length, encrypted, nonNullTerms);
+      },
+      (error) => {
+        log.set({ errorCode: getErrorCode(error) ?? "unknown" });
+        return {
+          type: EncryptionErrorTypes.EncryptionError,
+          message: error.message,
+          code: getErrorCode(error)
+        };
+      }
+    );
+    log.emit();
+    return result;
+  }
+};
+var BatchEncryptQueryOperationWithLockContext = class extends EncryptionOperation {
+  constructor(client, terms, lockContext, auditMetadata) {
+    super();
+    this.client = client;
+    this.terms = terms;
+    this.lockContext = lockContext;
+    this.auditMetadata = auditMetadata;
+  }
+  async execute() {
+    const log = (0, import_evlog.createRequestLogger)();
+    log.set({
+      op: "batchEncryptQuery",
+      count: this.terms.length,
+      lockContext: true
+    });
+    if (this.terms.length === 0) {
+      log.emit();
+      return { data: [] };
+    }
+    const { nullIndices, nonNullTerms } = filterNullTerms(this.terms);
+    if (nonNullTerms.length === 0) {
+      log.emit();
+      return { data: this.terms.map(() => null) };
+    }
+    const lockContextResult = await this.lockContext.getLockContext();
+    if (lockContextResult.failure) {
+      log.emit();
+      return { failure: lockContextResult.failure };
+    }
+    const { ctsToken, context } = lockContextResult.data;
+    const result = await (0, import_result.withResult)(
+      async () => {
+        if (!this.client) throw noClientError();
+        const { metadata } = this.getAuditData();
+        const queries = nonNullTerms.map(
+          ({ term }) => buildQueryPayload(term, context)
+        );
+        const encrypted = await (0, import_protect_ffi2.encryptQueryBulk)(this.client, {
+          queries,
+          serviceToken: ctsToken,
+          unverifiedContext: metadata
+        });
+        return assembleResults(this.terms.length, encrypted, nonNullTerms);
+      },
+      (error) => {
+        log.set({ errorCode: getErrorCode(error) ?? "unknown" });
+        return {
+          type: EncryptionErrorTypes.EncryptionError,
+          message: error.message,
+          code: getErrorCode(error)
+        };
+      }
+    );
+    log.emit();
+    return result;
+  }
+};
+
+// src/encryption/ffi/operations/bulk-decrypt.ts
+var import_result2 = require("@byteslice/result");
+var import_protect_ffi3 = require("@cipherstash/protect-ffi");
+var createDecryptPayloads = (encryptedPayloads, lockContext) => {
+  return encryptedPayloads.map((item, index) => ({ ...item, originalIndex: index })).filter(({ data }) => data !== null).map(({ id, data, originalIndex }) => ({
+    id,
+    ciphertext: data,
+    originalIndex,
+    ...lockContext && { lockContext }
+  }));
+};
+var createNullResult = (encryptedPayloads) => {
+  return encryptedPayloads.map(({ id }) => ({
+    id,
+    data: null
+  }));
+};
+var mapDecryptedDataToResult = (encryptedPayloads, decryptedData) => {
+  const result = new Array(encryptedPayloads.length);
+  let decryptedIndex = 0;
+  for (let i = 0; i < encryptedPayloads.length; i++) {
+    if (encryptedPayloads[i].data === null) {
+      result[i] = { id: encryptedPayloads[i].id, data: null };
+    } else {
+      const decryptResult = decryptedData[decryptedIndex];
+      if ("error" in decryptResult) {
+        result[i] = {
+          id: encryptedPayloads[i].id,
+          error: decryptResult.error
+        };
+      } else {
+        result[i] = {
+          id: encryptedPayloads[i].id,
+          data: decryptResult.data
+        };
+      }
+      decryptedIndex++;
+    }
+  }
+  return result;
+};
+var BulkDecryptOperation = class extends EncryptionOperation {
+  client;
+  encryptedPayloads;
+  constructor(client, encryptedPayloads) {
+    super();
+    this.client = client;
+    this.encryptedPayloads = encryptedPayloads;
+  }
+  withLockContext(lockContext) {
+    return new BulkDecryptOperationWithLockContext(this, lockContext);
+  }
+  async execute() {
+    const log = (0, import_evlog.createRequestLogger)();
+    log.set({
+      op: "bulkDecrypt",
+      count: this.encryptedPayloads?.length ?? 0,
+      lockContext: false
+    });
+    const result = await (0, import_result2.withResult)(
+      async () => {
+        if (!this.client) throw noClientError();
+        if (!this.encryptedPayloads || this.encryptedPayloads.length === 0)
+          return [];
+        const nonNullPayloads = createDecryptPayloads(this.encryptedPayloads);
+        if (nonNullPayloads.length === 0) {
+          return createNullResult(this.encryptedPayloads);
+        }
+        const { metadata } = this.getAuditData();
+        const decryptedData = await (0, import_protect_ffi3.decryptBulkFallible)(this.client, {
+          ciphertexts: nonNullPayloads,
+          unverifiedContext: metadata
+        });
+        return mapDecryptedDataToResult(this.encryptedPayloads, decryptedData);
+      },
+      (error) => {
+        log.set({ errorCode: getErrorCode(error) ?? "unknown" });
+        return {
+          type: EncryptionErrorTypes.DecryptionError,
+          message: error.message,
+          code: getErrorCode(error)
+        };
+      }
+    );
+    log.emit();
+    return result;
+  }
+  getOperation() {
+    return {
+      client: this.client,
+      encryptedPayloads: this.encryptedPayloads
+    };
+  }
+};
+var BulkDecryptOperationWithLockContext = class extends EncryptionOperation {
+  operation;
+  lockContext;
+  constructor(operation, lockContext) {
+    super();
+    this.operation = operation;
+    this.lockContext = lockContext;
+    const auditData = operation.getAuditData();
+    if (auditData) {
+      this.audit(auditData);
+    }
+  }
+  async execute() {
+    const { client, encryptedPayloads } = this.operation.getOperation();
+    const log = (0, import_evlog.createRequestLogger)();
+    log.set({
+      op: "bulkDecrypt",
+      count: encryptedPayloads?.length ?? 0,
+      lockContext: true
+    });
+    const result = await (0, import_result2.withResult)(
+      async () => {
+        if (!client) throw noClientError();
+        if (!encryptedPayloads || encryptedPayloads.length === 0) return [];
+        const context = await this.lockContext.getLockContext();
+        if (context.failure) {
+          throw new Error(`[encryption]: ${context.failure.message}`);
+        }
+        const nonNullPayloads = createDecryptPayloads(
+          encryptedPayloads,
+          context.data.context
+        );
+        if (nonNullPayloads.length === 0) {
+          return createNullResult(encryptedPayloads);
+        }
+        const { metadata } = this.getAuditData();
+        const decryptedData = await (0, import_protect_ffi3.decryptBulkFallible)(client, {
+          ciphertexts: nonNullPayloads,
+          serviceToken: context.data.ctsToken,
+          unverifiedContext: metadata
+        });
+        return mapDecryptedDataToResult(encryptedPayloads, decryptedData);
+      },
+      (error) => {
+        log.set({ errorCode: getErrorCode(error) ?? "unknown" });
+        return {
+          type: EncryptionErrorTypes.DecryptionError,
+          message: error.message,
+          code: getErrorCode(error)
+        };
+      }
+    );
+    log.emit();
+    return result;
+  }
+};
+
+// src/encryption/ffi/operations/bulk-decrypt-models.ts
+var import_result3 = require("@byteslice/result");
+
+// src/encryption/ffi/model-helpers.ts
+var import_protect_ffi4 = require("@cipherstash/protect-ffi");
+function setNestedValue(obj, path2, value) {
+  const FORBIDDEN_KEYS = ["__proto__", "prototype", "constructor"];
+  let current = obj;
+  for (let i = 0; i < path2.length - 1; i++) {
+    const part = path2[i];
+    if (FORBIDDEN_KEYS.includes(part)) {
+      throw new Error(`[encryption]: Forbidden key "${part}" in field path`);
+    }
+    if (!(part in current) || typeof current[part] !== "object" || current[part] === null) {
+      current[part] = {};
+    }
+    current = current[part];
+  }
+  const lastKey = path2[path2.length - 1];
+  if (FORBIDDEN_KEYS.includes(lastKey)) {
+    throw new Error(`[encryption]: Forbidden key "${lastKey}" in field path`);
+  }
+  current[lastKey] = value;
+}
+async function handleSingleModelBulkOperation(items, operation, keyMap) {
+  if (items.length === 0) {
+    return {};
+  }
+  const results = await operation(items);
+  const mappedResults = {};
+  results.forEach((result, index) => {
+    const originalKey = keyMap[index.toString()];
+    mappedResults[originalKey] = result;
+  });
+  return mappedResults;
+}
+async function handleMultiModelBulkOperation(items, operation, keyMap) {
+  if (items.length === 0) {
+    return {};
+  }
+  const results = await operation(items);
+  const mappedResults = {};
+  results.forEach((result, index) => {
+    const key = index.toString();
+    const { modelIndex, fieldKey } = keyMap[key];
+    mappedResults[`${modelIndex}-${fieldKey}`] = result;
+  });
+  return mappedResults;
+}
+function prepareFieldsForDecryption(model) {
+  const otherFields = { ...model };
+  const operationFields = {};
+  const nullFields = {};
+  const keyMap = {};
+  let index = 0;
+  const processNestedFields = (obj, prefix = "") => {
+    for (const [key, value] of Object.entries(obj)) {
+      const fullKey = prefix ? `${prefix}.${key}` : key;
+      if (value === null || value === void 0) {
+        nullFields[fullKey] = value;
+        continue;
+      }
+      if (typeof value === "object" && !isEncryptedPayload(value)) {
+        processNestedFields(value, fullKey);
+      } else if (isEncryptedPayload(value)) {
+        const id = index.toString();
+        keyMap[id] = fullKey;
+        operationFields[fullKey] = value;
+        index++;
+        const parts = fullKey.split(".");
+        let current = otherFields;
+        for (let i = 0; i < parts.length - 1; i++) {
+          current = current[parts[i]];
+        }
+        delete current[parts[parts.length - 1]];
+      }
+    }
+  };
+  processNestedFields(model);
+  return { otherFields, operationFields, keyMap, nullFields };
+}
+function prepareFieldsForEncryption(model, table) {
+  const otherFields = { ...model };
+  const operationFields = {};
+  const nullFields = {};
+  const keyMap = {};
+  let index = 0;
+  const processNestedFields = (obj, prefix = "", columnPaths2 = []) => {
+    for (const [key, value] of Object.entries(obj)) {
+      const fullKey = prefix ? `${prefix}.${key}` : key;
+      if (value === null || value === void 0) {
+        nullFields[fullKey] = value;
+        continue;
+      }
+      if (typeof value === "object" && !isEncryptedPayload(value) && !columnPaths2.includes(fullKey)) {
+        if (columnPaths2.some((path2) => path2.startsWith(fullKey))) {
+          processNestedFields(
+            value,
+            fullKey,
+            columnPaths2
+          );
+        }
+      } else if (columnPaths2.includes(fullKey)) {
+        const id = index.toString();
+        keyMap[id] = fullKey;
+        operationFields[fullKey] = value;
+        index++;
+        const parts = fullKey.split(".");
+        let current = otherFields;
+        for (let i = 0; i < parts.length - 1; i++) {
+          current = current[parts[i]];
+        }
+        delete current[parts[parts.length - 1]];
+      }
+    }
+  };
+  const columnPaths = Object.keys(table.build().columns);
+  processNestedFields(model, "", columnPaths);
+  return { otherFields, operationFields, keyMap, nullFields };
+}
+async function decryptModelFields(model, client, auditData) {
+  if (!client) {
+    throw new Error("Client not initialized");
+  }
+  const { otherFields, operationFields, keyMap, nullFields } = prepareFieldsForDecryption(model);
+  const bulkDecryptPayload = Object.entries(operationFields).map(
+    ([key, value]) => ({
+      id: key,
+      ciphertext: value
+    })
+  );
+  const decryptedFields = await handleSingleModelBulkOperation(
+    bulkDecryptPayload,
+    (items) => (0, import_protect_ffi4.decryptBulk)(client, {
+      ciphertexts: items,
+      unverifiedContext: auditData?.metadata
+    }),
+    keyMap
+  );
+  const result = { ...otherFields };
+  for (const [key, value] of Object.entries(nullFields)) {
+    const parts = key.split(".");
+    setNestedValue(result, parts, value);
+  }
+  for (const [key, value] of Object.entries(decryptedFields)) {
+    const parts = key.split(".");
+    setNestedValue(result, parts, value);
+  }
+  return result;
+}
+async function encryptModelFields(model, table, client, auditData) {
+  if (!client) {
+    throw new Error("Client not initialized");
+  }
+  const { otherFields, operationFields, keyMap, nullFields } = prepareFieldsForEncryption(model, table);
+  const bulkEncryptPayload = Object.entries(operationFields).map(
+    ([key, value]) => ({
+      id: key,
+      plaintext: value,
+      table: table.tableName,
+      column: key
+    })
+  );
+  const encryptedData = await handleSingleModelBulkOperation(
+    bulkEncryptPayload,
+    (items) => (0, import_protect_ffi4.encryptBulk)(client, {
+      plaintexts: items,
+      unverifiedContext: auditData?.metadata
+    }),
+    keyMap
+  );
+  const result = { ...otherFields };
+  for (const [key, value] of Object.entries(nullFields)) {
+    const parts = key.split(".");
+    setNestedValue(result, parts, value);
+  }
+  for (const [key, value] of Object.entries(encryptedData)) {
+    const parts = key.split(".");
+    setNestedValue(result, parts, value);
+  }
+  return result;
+}
+async function decryptModelFieldsWithLockContext(model, client, lockContext, auditData) {
+  if (!client) {
+    throw new Error("Client not initialized");
+  }
+  if (!lockContext) {
+    throw new Error("Lock context is not initialized");
+  }
+  const { otherFields, operationFields, keyMap, nullFields } = prepareFieldsForDecryption(model);
+  const bulkDecryptPayload = Object.entries(operationFields).map(
+    ([key, value]) => ({
+      id: key,
+      ciphertext: value,
+      lockContext: lockContext.context
+    })
+  );
+  const decryptedFields = await handleSingleModelBulkOperation(
+    bulkDecryptPayload,
+    (items) => (0, import_protect_ffi4.decryptBulk)(client, {
+      ciphertexts: items,
+      serviceToken: lockContext.ctsToken,
+      unverifiedContext: auditData?.metadata
+    }),
+    keyMap
+  );
+  const result = { ...otherFields };
+  for (const [key, value] of Object.entries(nullFields)) {
+    const parts = key.split(".");
+    setNestedValue(result, parts, value);
+  }
+  for (const [key, value] of Object.entries(decryptedFields)) {
+    const parts = key.split(".");
+    setNestedValue(result, parts, value);
+  }
+  return result;
+}
+async function encryptModelFieldsWithLockContext(model, table, client, lockContext, auditData) {
+  if (!client) {
+    throw new Error("Client not initialized");
+  }
+  if (!lockContext) {
+    throw new Error("Lock context is not initialized");
+  }
+  const { otherFields, operationFields, keyMap, nullFields } = prepareFieldsForEncryption(model, table);
+  const bulkEncryptPayload = Object.entries(operationFields).map(
+    ([key, value]) => ({
+      id: key,
+      plaintext: value,
+      table: table.tableName,
+      column: key,
+      lockContext: lockContext.context
+    })
+  );
+  const encryptedData = await handleSingleModelBulkOperation(
+    bulkEncryptPayload,
+    (items) => (0, import_protect_ffi4.encryptBulk)(client, {
+      plaintexts: items,
+      serviceToken: lockContext.ctsToken,
+      unverifiedContext: auditData?.metadata
+    }),
+    keyMap
+  );
+  const result = { ...otherFields };
+  for (const [key, value] of Object.entries(nullFields)) {
+    const parts = key.split(".");
+    setNestedValue(result, parts, value);
+  }
+  for (const [key, value] of Object.entries(encryptedData)) {
+    const parts = key.split(".");
+    setNestedValue(result, parts, value);
+  }
+  return result;
+}
+function prepareBulkModelsForOperation(models, table) {
+  const otherFields = [];
+  const operationFields = [];
+  const nullFields = [];
+  const keyMap = {};
+  let index = 0;
+  for (let modelIndex = 0; modelIndex < models.length; modelIndex++) {
+    const model = models[modelIndex];
+    const modelOtherFields = { ...model };
+    const modelOperationFields = {};
+    const modelNullFields = {};
+    const processNestedFields = (obj, prefix = "", columnPaths = []) => {
+      for (const [key, value] of Object.entries(obj)) {
+        const fullKey = prefix ? `${prefix}.${key}` : key;
+        if (value === null || value === void 0) {
+          modelNullFields[fullKey] = value;
+          continue;
+        }
+        if (typeof value === "object" && !isEncryptedPayload(value) && !columnPaths.includes(fullKey)) {
+          if (columnPaths.some((path2) => path2.startsWith(fullKey))) {
+            processNestedFields(
+              value,
+              fullKey,
+              columnPaths
+            );
+          }
+        } else if (columnPaths.includes(fullKey)) {
+          const id = index.toString();
+          keyMap[id] = { modelIndex, fieldKey: fullKey };
+          modelOperationFields[fullKey] = value;
+          index++;
+          const parts = fullKey.split(".");
+          let current = modelOtherFields;
+          for (let i = 0; i < parts.length - 1; i++) {
+            current = current[parts[i]];
+          }
+          delete current[parts[parts.length - 1]];
+        }
+      }
+    };
+    if (table) {
+      const columnPaths = Object.keys(table.build().columns);
+      processNestedFields(model, "", columnPaths);
+    } else {
+      const processEncryptedFields = (obj, prefix = "", columnPaths = []) => {
+        for (const [key, value] of Object.entries(obj)) {
+          const fullKey = prefix ? `${prefix}.${key}` : key;
+          if (value === null || value === void 0) {
+            modelNullFields[fullKey] = value;
+            continue;
+          }
+          if (typeof value === "object" && !isEncryptedPayload(value) && !columnPaths.includes(fullKey)) {
+            processEncryptedFields(
+              value,
+              fullKey,
+              columnPaths
+            );
+          } else if (isEncryptedPayload(value)) {
+            const id = index.toString();
+            keyMap[id] = { modelIndex, fieldKey: fullKey };
+            modelOperationFields[fullKey] = value;
+            index++;
+            const parts = fullKey.split(".");
+            let current = modelOtherFields;
+            for (let i = 0; i < parts.length - 1; i++) {
+              current = current[parts[i]];
+            }
+            delete current[parts[parts.length - 1]];
+          }
+        }
+      };
+      processEncryptedFields(model);
+    }
+    otherFields.push(modelOtherFields);
+    operationFields.push(modelOperationFields);
+    nullFields.push(modelNullFields);
+  }
+  return { otherFields, operationFields, keyMap, nullFields };
+}
+async function bulkEncryptModels(models, table, client, auditData) {
+  if (!client) {
+    throw new Error("Client not initialized");
+  }
+  if (!models || models.length === 0) {
+    return [];
+  }
+  const { otherFields, operationFields, keyMap, nullFields } = prepareBulkModelsForOperation(models, table);
+  const bulkEncryptPayload = operationFields.flatMap(
+    (fields, modelIndex) => Object.entries(fields).map(([key, value]) => ({
+      id: `${modelIndex}-${key}`,
+      plaintext: value,
+      table: table.tableName,
+      column: key
+    }))
+  );
+  const encryptedData = await handleMultiModelBulkOperation(
+    bulkEncryptPayload,
+    (items) => (0, import_protect_ffi4.encryptBulk)(client, {
+      plaintexts: items,
+      unverifiedContext: auditData?.metadata
+    }),
+    keyMap
+  );
+  return models.map((_, modelIndex) => {
+    const result = { ...otherFields[modelIndex] };
+    for (const [key, value] of Object.entries(nullFields[modelIndex])) {
+      const parts = key.split(".");
+      setNestedValue(result, parts, value);
+    }
+    const modelData = Object.fromEntries(
+      Object.entries(encryptedData).filter(([key]) => {
+        const [idx] = key.split("-");
+        return Number.parseInt(idx) === modelIndex;
+      }).map(([key, value]) => {
+        const [_2, fieldKey] = key.split("-");
+        return [fieldKey, value];
+      })
+    );
+    for (const [key, value] of Object.entries(modelData)) {
+      const parts = key.split(".");
+      setNestedValue(result, parts, value);
+    }
+    return result;
+  });
+}
+async function bulkDecryptModels(models, client, auditData) {
+  if (!client) {
+    throw new Error("Client not initialized");
+  }
+  if (!models || models.length === 0) {
+    return [];
+  }
+  const { otherFields, operationFields, keyMap, nullFields } = prepareBulkModelsForOperation(models);
+  const bulkDecryptPayload = operationFields.flatMap(
+    (fields, modelIndex) => Object.entries(fields).map(([key, value]) => ({
+      id: `${modelIndex}-${key}`,
+      ciphertext: value
+    }))
+  );
+  const decryptedFields = await handleMultiModelBulkOperation(
+    bulkDecryptPayload,
+    (items) => (0, import_protect_ffi4.decryptBulk)(client, {
+      ciphertexts: items,
+      unverifiedContext: auditData?.metadata
+    }),
+    keyMap
+  );
+  return models.map((_, modelIndex) => {
+    const result = { ...otherFields[modelIndex] };
+    for (const [key, value] of Object.entries(nullFields[modelIndex])) {
+      const parts = key.split(".");
+      setNestedValue(result, parts, value);
+    }
+    const modelData = Object.fromEntries(
+      Object.entries(decryptedFields).filter(([key]) => {
+        const [idx] = key.split("-");
+        return Number.parseInt(idx) === modelIndex;
+      }).map(([key, value]) => {
+        const [_2, fieldKey] = key.split("-");
+        return [fieldKey, value];
+      })
+    );
+    for (const [key, value] of Object.entries(modelData)) {
+      const parts = key.split(".");
+      setNestedValue(result, parts, value);
+    }
+    return result;
+  });
+}
+async function bulkDecryptModelsWithLockContext(models, client, lockContext, auditData) {
+  if (!client) {
+    throw new Error("Client not initialized");
+  }
+  if (!lockContext) {
+    throw new Error("Lock context is not initialized");
+  }
+  const { otherFields, operationFields, keyMap, nullFields } = prepareBulkModelsForOperation(models);
+  const bulkDecryptPayload = operationFields.flatMap(
+    (fields, modelIndex) => Object.entries(fields).map(([key, value]) => ({
+      id: `${modelIndex}-${key}`,
+      ciphertext: value,
+      lockContext: lockContext.context
+    }))
+  );
+  const decryptedFields = await handleMultiModelBulkOperation(
+    bulkDecryptPayload,
+    (items) => (0, import_protect_ffi4.decryptBulk)(client, {
+      ciphertexts: items,
+      serviceToken: lockContext.ctsToken,
+      unverifiedContext: auditData?.metadata
+    }),
+    keyMap
+  );
+  return models.map((_, modelIndex) => {
+    const result = { ...otherFields[modelIndex] };
+    for (const [key, value] of Object.entries(nullFields[modelIndex])) {
+      const parts = key.split(".");
+      setNestedValue(result, parts, value);
+    }
+    const modelData = Object.fromEntries(
+      Object.entries(decryptedFields).filter(([key]) => {
+        const [idx] = key.split("-");
+        return Number.parseInt(idx) === modelIndex;
+      }).map(([key, value]) => {
+        const [_2, fieldKey] = key.split("-");
+        return [fieldKey, value];
+      })
+    );
+    for (const [key, value] of Object.entries(modelData)) {
+      const parts = key.split(".");
+      setNestedValue(result, parts, value);
+    }
+    return result;
+  });
+}
+async function bulkEncryptModelsWithLockContext(models, table, client, lockContext, auditData) {
+  if (!client) {
+    throw new Error("Client not initialized");
+  }
+  if (!lockContext) {
+    throw new Error("Lock context is not initialized");
+  }
+  const { otherFields, operationFields, keyMap, nullFields } = prepareBulkModelsForOperation(models, table);
+  const bulkEncryptPayload = operationFields.flatMap(
+    (fields, modelIndex) => Object.entries(fields).map(([key, value]) => ({
+      id: `${modelIndex}-${key}`,
+      plaintext: value,
+      table: table.tableName,
+      column: key,
+      lockContext: lockContext.context
+    }))
+  );
+  const encryptedData = await handleMultiModelBulkOperation(
+    bulkEncryptPayload,
+    (items) => (0, import_protect_ffi4.encryptBulk)(client, {
+      plaintexts: items,
+      serviceToken: lockContext.ctsToken,
+      unverifiedContext: auditData?.metadata
+    }),
+    keyMap
+  );
+  return models.map((_, modelIndex) => {
+    const result = { ...otherFields[modelIndex] };
+    for (const [key, value] of Object.entries(nullFields[modelIndex])) {
+      const parts = key.split(".");
+      setNestedValue(result, parts, value);
+    }
+    const modelData = Object.fromEntries(
+      Object.entries(encryptedData).filter(([key]) => {
+        const [idx] = key.split("-");
+        return Number.parseInt(idx) === modelIndex;
+      }).map(([key, value]) => {
+        const [_2, fieldKey] = key.split("-");
+        return [fieldKey, value];
+      })
+    );
+    for (const [key, value] of Object.entries(modelData)) {
+      const parts = key.split(".");
+      setNestedValue(result, parts, value);
+    }
+    return result;
+  });
+}
+
+// src/encryption/ffi/operations/bulk-decrypt-models.ts
+var BulkDecryptModelsOperation = class extends EncryptionOperation {
+  client;
+  models;
+  constructor(client, models) {
+    super();
+    this.client = client;
+    this.models = models;
+  }
+  withLockContext(lockContext) {
+    return new BulkDecryptModelsOperationWithLockContext(this, lockContext);
+  }
+  async execute() {
+    const log = (0, import_evlog.createRequestLogger)();
+    log.set({
+      op: "bulkDecryptModels",
+      count: this.models.length,
+      lockContext: false
+    });
+    const result = await (0, import_result3.withResult)(
+      async () => {
+        if (!this.client) {
+          throw noClientError();
+        }
+        const auditData = this.getAuditData();
+        return await bulkDecryptModels(this.models, this.client, auditData);
+      },
+      (error) => {
+        log.set({ errorCode: getErrorCode(error) ?? "unknown" });
+        return {
+          type: EncryptionErrorTypes.DecryptionError,
+          message: error.message,
+          code: getErrorCode(error)
+        };
+      }
+    );
+    log.emit();
+    return result;
+  }
+  getOperation() {
+    return {
+      client: this.client,
+      models: this.models
+    };
+  }
+};
+var BulkDecryptModelsOperationWithLockContext = class extends EncryptionOperation {
+  operation;
+  lockContext;
+  constructor(operation, lockContext) {
+    super();
+    this.operation = operation;
+    this.lockContext = lockContext;
+    const auditData = operation.getAuditData();
+    if (auditData) {
+      this.audit(auditData);
+    }
+  }
+  async execute() {
+    const { client, models } = this.operation.getOperation();
+    const log = (0, import_evlog.createRequestLogger)();
+    log.set({
+      op: "bulkDecryptModels",
+      count: models.length,
+      lockContext: true
+    });
+    const result = await (0, import_result3.withResult)(
+      async () => {
+        if (!client) {
+          throw noClientError();
+        }
+        const context = await this.lockContext.getLockContext();
+        if (context.failure) {
+          throw new Error(`[encryption]: ${context.failure.message}`);
+        }
+        const auditData = this.getAuditData();
+        return await bulkDecryptModelsWithLockContext(
+          models,
+          client,
+          context.data,
+          auditData
+        );
+      },
+      (error) => {
+        log.set({ errorCode: getErrorCode(error) ?? "unknown" });
+        return {
+          type: EncryptionErrorTypes.DecryptionError,
+          message: error.message,
+          code: getErrorCode(error)
+        };
+      }
+    );
+    log.emit();
+    return result;
+  }
+};
+
+// src/encryption/ffi/operations/bulk-encrypt.ts
+var import_result4 = require("@byteslice/result");
+var import_protect_ffi5 = require("@cipherstash/protect-ffi");
+var createEncryptPayloads = (plaintexts, column, table, lockContext) => {
+  return plaintexts.map((item, index) => ({ ...item, originalIndex: index })).filter(({ plaintext }) => plaintext !== null).map(({ id, plaintext, originalIndex }) => ({
+    id,
+    plaintext,
+    column: column.getName(),
+    table: table.tableName,
+    originalIndex,
+    ...lockContext && { lockContext }
+  }));
+};
+var createNullResult2 = (plaintexts) => {
+  return plaintexts.map(({ id }) => ({ id, data: null }));
+};
+var mapEncryptedDataToResult = (plaintexts, encryptedData) => {
+  const result = new Array(plaintexts.length);
+  let encryptedIndex = 0;
+  for (let i = 0; i < plaintexts.length; i++) {
+    if (plaintexts[i].plaintext === null) {
+      result[i] = { id: plaintexts[i].id, data: null };
+    } else {
+      result[i] = {
+        id: plaintexts[i].id,
+        data: encryptedData[encryptedIndex]
+      };
+      encryptedIndex++;
+    }
+  }
+  return result;
+};
+var BulkEncryptOperation = class extends EncryptionOperation {
+  client;
+  plaintexts;
+  column;
+  table;
+  constructor(client, plaintexts, opts) {
+    super();
+    this.client = client;
+    this.plaintexts = plaintexts;
+    this.column = opts.column;
+    this.table = opts.table;
+  }
+  withLockContext(lockContext) {
+    return new BulkEncryptOperationWithLockContext(this, lockContext);
+  }
+  async execute() {
+    const log = (0, import_evlog.createRequestLogger)();
+    log.set({
+      op: "bulkEncrypt",
+      table: this.table.tableName,
+      column: this.column.getName(),
+      count: this.plaintexts?.length ?? 0,
+      lockContext: false
+    });
+    const result = await (0, import_result4.withResult)(
+      async () => {
+        if (!this.client) {
+          throw noClientError();
+        }
+        if (!this.plaintexts || this.plaintexts.length === 0) {
+          return [];
+        }
+        const nonNullPayloads = createEncryptPayloads(
+          this.plaintexts,
+          this.column,
+          this.table
+        );
+        if (nonNullPayloads.length === 0) {
+          return createNullResult2(this.plaintexts);
+        }
+        const { metadata } = this.getAuditData();
+        const encryptedData = await (0, import_protect_ffi5.encryptBulk)(this.client, {
+          plaintexts: nonNullPayloads,
+          unverifiedContext: metadata
+        });
+        return mapEncryptedDataToResult(this.plaintexts, encryptedData);
+      },
+      (error) => {
+        log.set({ errorCode: getErrorCode(error) ?? "unknown" });
+        return {
+          type: EncryptionErrorTypes.EncryptionError,
+          message: error.message,
+          code: getErrorCode(error)
+        };
+      }
+    );
+    log.emit();
+    return result;
+  }
+  getOperation() {
+    return {
+      client: this.client,
+      plaintexts: this.plaintexts,
+      column: this.column,
+      table: this.table
+    };
+  }
+};
+var BulkEncryptOperationWithLockContext = class extends EncryptionOperation {
+  operation;
+  lockContext;
+  constructor(operation, lockContext) {
+    super();
+    this.operation = operation;
+    this.lockContext = lockContext;
+    const auditData = operation.getAuditData();
+    if (auditData) {
+      this.audit(auditData);
+    }
+  }
+  async execute() {
+    const { client, plaintexts, column, table } = this.operation.getOperation();
+    const log = (0, import_evlog.createRequestLogger)();
+    log.set({
+      op: "bulkEncrypt",
+      table: table.tableName,
+      column: column.getName(),
+      count: plaintexts?.length ?? 0,
+      lockContext: true
+    });
+    const result = await (0, import_result4.withResult)(
+      async () => {
+        if (!client) {
+          throw noClientError();
+        }
+        if (!plaintexts || plaintexts.length === 0) {
+          return [];
+        }
+        const context = await this.lockContext.getLockContext();
+        if (context.failure) {
+          throw new Error(`[encryption]: ${context.failure.message}`);
+        }
+        const nonNullPayloads = createEncryptPayloads(
+          plaintexts,
+          column,
+          table,
+          context.data.context
+        );
+        if (nonNullPayloads.length === 0) {
+          return createNullResult2(plaintexts);
+        }
+        const { metadata } = this.getAuditData();
+        const encryptedData = await (0, import_protect_ffi5.encryptBulk)(client, {
+          plaintexts: nonNullPayloads,
+          serviceToken: context.data.ctsToken,
+          unverifiedContext: metadata
+        });
+        return mapEncryptedDataToResult(plaintexts, encryptedData);
+      },
+      (error) => {
+        log.set({ errorCode: getErrorCode(error) ?? "unknown" });
+        return {
+          type: EncryptionErrorTypes.EncryptionError,
+          message: error.message,
+          code: getErrorCode(error)
+        };
+      }
+    );
+    log.emit();
+    return result;
+  }
+};
+
+// src/encryption/ffi/operations/bulk-encrypt-models.ts
+var import_result5 = require("@byteslice/result");
+var BulkEncryptModelsOperation = class extends EncryptionOperation {
+  client;
+  models;
+  table;
+  constructor(client, models, table) {
+    super();
+    this.client = client;
+    this.models = models;
+    this.table = table;
+  }
+  withLockContext(lockContext) {
+    return new BulkEncryptModelsOperationWithLockContext(this, lockContext);
+  }
+  async execute() {
+    const log = (0, import_evlog.createRequestLogger)();
+    log.set({
+      op: "bulkEncryptModels",
+      table: this.table.tableName,
+      count: this.models.length,
+      lockContext: false
+    });
+    const result = await (0, import_result5.withResult)(
+      async () => {
+        if (!this.client) {
+          throw noClientError();
+        }
+        const auditData = this.getAuditData();
+        return await bulkEncryptModels(
+          this.models,
+          this.table,
+          this.client,
+          auditData
+        );
+      },
+      (error) => {
+        log.set({ errorCode: getErrorCode(error) ?? "unknown" });
+        return {
+          type: EncryptionErrorTypes.EncryptionError,
+          message: error.message,
+          code: getErrorCode(error)
+        };
+      }
+    );
+    log.emit();
+    return result;
+  }
+  getOperation() {
+    return {
+      client: this.client,
+      models: this.models,
+      table: this.table
+    };
+  }
+};
+var BulkEncryptModelsOperationWithLockContext = class extends EncryptionOperation {
+  operation;
+  lockContext;
+  constructor(operation, lockContext) {
+    super();
+    this.operation = operation;
+    this.lockContext = lockContext;
+    const auditData = operation.getAuditData();
+    if (auditData) {
+      this.audit(auditData);
+    }
+  }
+  async execute() {
+    const { client, models, table } = this.operation.getOperation();
+    const log = (0, import_evlog.createRequestLogger)();
+    log.set({
+      op: "bulkEncryptModels",
+      table: table.tableName,
+      count: models.length,
+      lockContext: true
+    });
+    const result = await (0, import_result5.withResult)(
+      async () => {
+        if (!client) {
+          throw noClientError();
+        }
+        const context = await this.lockContext.getLockContext();
+        if (context.failure) {
+          throw new Error(`[encryption]: ${context.failure.message}`);
+        }
+        const auditData = this.getAuditData();
+        return await bulkEncryptModelsWithLockContext(
+          models,
+          table,
+          client,
+          context.data,
+          auditData
+        );
+      },
+      (error) => {
+        log.set({ errorCode: getErrorCode(error) ?? "unknown" });
+        return {
+          type: EncryptionErrorTypes.EncryptionError,
+          message: error.message,
+          code: getErrorCode(error)
+        };
+      }
+    );
+    log.emit();
+    return result;
+  }
+};
+
+// src/encryption/ffi/operations/decrypt.ts
+var import_result6 = require("@byteslice/result");
+var import_protect_ffi6 = require("@cipherstash/protect-ffi");
+var DecryptOperation = class extends EncryptionOperation {
+  client;
+  encryptedData;
+  constructor(client, encryptedData) {
+    super();
+    this.client = client;
+    this.encryptedData = encryptedData;
+  }
+  withLockContext(lockContext) {
+    return new DecryptOperationWithLockContext(this, lockContext);
+  }
+  async execute() {
+    const log = (0, import_evlog.createRequestLogger)();
+    log.set({
+      op: "decrypt",
+      lockContext: false
+    });
+    const result = await (0, import_result6.withResult)(
+      async () => {
+        if (!this.client) {
+          throw noClientError();
+        }
+        if (this.encryptedData === null) {
+          return null;
+        }
+        const { metadata } = this.getAuditData();
+        return await (0, import_protect_ffi6.decrypt)(this.client, {
+          ciphertext: this.encryptedData,
+          unverifiedContext: metadata
+        });
+      },
+      (error) => {
+        log.set({ errorCode: getErrorCode(error) ?? "unknown" });
+        return {
+          type: EncryptionErrorTypes.DecryptionError,
+          message: error.message,
+          code: getErrorCode(error)
+        };
+      }
+    );
+    log.emit();
+    return result;
+  }
+  getOperation() {
+    return {
+      client: this.client,
+      encryptedData: this.encryptedData,
+      auditData: this.getAuditData()
+    };
+  }
+};
+var DecryptOperationWithLockContext = class extends EncryptionOperation {
+  operation;
+  lockContext;
+  constructor(operation, lockContext) {
+    super();
+    this.operation = operation;
+    this.lockContext = lockContext;
+    const auditData = operation.getAuditData();
+    if (auditData) {
+      this.audit(auditData);
+    }
+  }
+  async execute() {
+    const log = (0, import_evlog.createRequestLogger)();
+    log.set({
+      op: "decrypt",
+      lockContext: true
+    });
+    const result = await (0, import_result6.withResult)(
+      async () => {
+        const { client, encryptedData } = this.operation.getOperation();
+        if (!client) {
+          throw noClientError();
+        }
+        if (encryptedData === null) {
+          return null;
+        }
+        const { metadata } = this.getAuditData();
+        const context = await this.lockContext.getLockContext();
+        if (context.failure) {
+          throw new Error(`[encryption]: ${context.failure.message}`);
+        }
+        return await (0, import_protect_ffi6.decrypt)(client, {
+          ciphertext: encryptedData,
+          unverifiedContext: metadata,
+          lockContext: context.data.context,
+          serviceToken: context.data.ctsToken
+        });
+      },
+      (error) => {
+        log.set({ errorCode: getErrorCode(error) ?? "unknown" });
+        return {
+          type: EncryptionErrorTypes.DecryptionError,
+          message: error.message,
+          code: getErrorCode(error)
+        };
+      }
+    );
+    log.emit();
+    return result;
+  }
+};
+
+// src/encryption/ffi/operations/decrypt-model.ts
+var import_result7 = require("@byteslice/result");
+var DecryptModelOperation = class extends EncryptionOperation {
+  client;
+  model;
+  constructor(client, model) {
+    super();
+    this.client = client;
+    this.model = model;
+  }
+  withLockContext(lockContext) {
+    return new DecryptModelOperationWithLockContext(this, lockContext);
+  }
+  async execute() {
+    const log = (0, import_evlog.createRequestLogger)();
+    log.set({
+      op: "decryptModel",
+      lockContext: false
+    });
+    const result = await (0, import_result7.withResult)(
+      async () => {
+        if (!this.client) {
+          throw noClientError();
+        }
+        const auditData = this.getAuditData();
+        return await decryptModelFields(this.model, this.client, auditData);
+      },
+      (error) => {
+        log.set({ errorCode: getErrorCode(error) ?? "unknown" });
+        return {
+          type: EncryptionErrorTypes.DecryptionError,
+          message: error.message,
+          code: getErrorCode(error)
+        };
+      }
+    );
+    log.emit();
+    return result;
+  }
+  getOperation() {
+    return {
+      client: this.client,
+      model: this.model
+    };
+  }
+};
+var DecryptModelOperationWithLockContext = class extends EncryptionOperation {
+  operation;
+  lockContext;
+  constructor(operation, lockContext) {
+    super();
+    this.operation = operation;
+    this.lockContext = lockContext;
+    const auditData = operation.getAuditData();
+    if (auditData) {
+      this.audit(auditData);
+    }
+  }
+  async execute() {
+    const log = (0, import_evlog.createRequestLogger)();
+    log.set({
+      op: "decryptModel",
+      lockContext: true
+    });
+    const result = await (0, import_result7.withResult)(
+      async () => {
+        const { client, model } = this.operation.getOperation();
+        if (!client) {
+          throw noClientError();
+        }
+        const context = await this.lockContext.getLockContext();
+        if (context.failure) {
+          throw new Error(`[encryption]: ${context.failure.message}`);
+        }
+        const auditData = this.getAuditData();
+        return await decryptModelFieldsWithLockContext(
+          model,
+          client,
+          context.data,
+          auditData
+        );
+      },
+      (error) => {
+        log.set({ errorCode: getErrorCode(error) ?? "unknown" });
+        return {
+          type: EncryptionErrorTypes.DecryptionError,
+          message: error.message,
+          code: getErrorCode(error)
+        };
+      }
+    );
+    log.emit();
+    return result;
+  }
+};
+
+// src/encryption/ffi/operations/encrypt.ts
+var import_result8 = require("@byteslice/result");
+var import_protect_ffi7 = require("@cipherstash/protect-ffi");
+var EncryptOperation = class extends EncryptionOperation {
+  client;
+  plaintext;
+  column;
+  table;
+  constructor(client, plaintext, opts) {
+    super();
+    this.client = client;
+    this.plaintext = plaintext;
+    this.column = opts.column;
+    this.table = opts.table;
+  }
+  withLockContext(lockContext) {
+    return new EncryptOperationWithLockContext(this, lockContext);
+  }
+  async execute() {
+    const log = (0, import_evlog.createRequestLogger)();
+    log.set({
+      op: "encrypt",
+      table: this.table.tableName,
+      column: this.column.getName(),
+      lockContext: false
+    });
+    const result = await (0, import_result8.withResult)(
+      async () => {
+        if (!this.client) {
+          throw noClientError();
+        }
+        if (this.plaintext === null) {
+          return null;
+        }
+        if (typeof this.plaintext === "number" && Number.isNaN(this.plaintext)) {
+          throw new Error("[encryption]: Cannot encrypt NaN value");
+        }
+        if (typeof this.plaintext === "number" && !Number.isFinite(this.plaintext)) {
+          throw new Error("[encryption]: Cannot encrypt Infinity value");
+        }
+        const { metadata } = this.getAuditData();
+        return await (0, import_protect_ffi7.encrypt)(this.client, {
+          plaintext: this.plaintext,
+          column: this.column.getName(),
+          table: this.table.tableName,
+          unverifiedContext: metadata
+        });
+      },
+      (error) => {
+        log.set({ errorCode: getErrorCode(error) ?? "unknown" });
+        return {
+          type: EncryptionErrorTypes.EncryptionError,
+          message: error.message,
+          code: getErrorCode(error)
+        };
+      }
+    );
+    log.emit();
+    return result;
+  }
+  getOperation() {
+    return {
+      client: this.client,
+      plaintext: this.plaintext,
+      column: this.column,
+      table: this.table
+    };
+  }
+};
+var EncryptOperationWithLockContext = class extends EncryptionOperation {
+  operation;
+  lockContext;
+  constructor(operation, lockContext) {
+    super();
+    this.operation = operation;
+    this.lockContext = lockContext;
+    const auditData = operation.getAuditData();
+    if (auditData) {
+      this.audit(auditData);
+    }
+  }
+  async execute() {
+    const { client, plaintext, column, table } = this.operation.getOperation();
+    const log = (0, import_evlog.createRequestLogger)();
+    log.set({
+      op: "encrypt",
+      table: table.tableName,
+      column: column.getName(),
+      lockContext: true
+    });
+    const result = await (0, import_result8.withResult)(
+      async () => {
+        if (!client) {
+          throw noClientError();
+        }
+        if (plaintext === null) {
+          return null;
+        }
+        const { metadata } = this.getAuditData();
+        const context = await this.lockContext.getLockContext();
+        if (context.failure) {
+          throw new Error(`[encryption]: ${context.failure.message}`);
+        }
+        return await (0, import_protect_ffi7.encrypt)(client, {
+          plaintext,
+          column: column.getName(),
+          table: table.tableName,
+          lockContext: context.data.context,
+          serviceToken: context.data.ctsToken,
+          unverifiedContext: metadata
+        });
+      },
+      (error) => {
+        log.set({ errorCode: getErrorCode(error) ?? "unknown" });
+        return {
+          type: EncryptionErrorTypes.EncryptionError,
+          message: error.message,
+          code: getErrorCode(error)
+        };
+      }
+    );
+    log.emit();
+    return result;
+  }
+};
+
+// src/encryption/ffi/operations/encrypt-model.ts
+var import_result9 = require("@byteslice/result");
+var EncryptModelOperation = class extends EncryptionOperation {
+  client;
+  model;
+  table;
+  constructor(client, model, table) {
+    super();
+    this.client = client;
+    this.model = model;
+    this.table = table;
+  }
+  withLockContext(lockContext) {
+    return new EncryptModelOperationWithLockContext(this, lockContext);
+  }
+  async execute() {
+    const log = (0, import_evlog.createRequestLogger)();
+    log.set({
+      op: "encryptModel",
+      table: this.table.tableName,
+      lockContext: false
+    });
+    const result = await (0, import_result9.withResult)(
+      async () => {
+        if (!this.client) {
+          throw noClientError();
+        }
+        const auditData = this.getAuditData();
+        return await encryptModelFields(
+          this.model,
+          this.table,
+          this.client,
+          auditData
+        );
+      },
+      (error) => {
+        log.set({ errorCode: getErrorCode(error) ?? "unknown" });
+        return {
+          type: EncryptionErrorTypes.EncryptionError,
+          message: error.message,
+          code: getErrorCode(error)
+        };
+      }
+    );
+    log.emit();
+    return result;
+  }
+  getOperation() {
+    return {
+      client: this.client,
+      model: this.model,
+      table: this.table
+    };
+  }
+};
+var EncryptModelOperationWithLockContext = class extends EncryptionOperation {
+  operation;
+  lockContext;
+  constructor(operation, lockContext) {
+    super();
+    this.operation = operation;
+    this.lockContext = lockContext;
+    const auditData = operation.getAuditData();
+    if (auditData) {
+      this.audit(auditData);
+    }
+  }
+  async execute() {
+    const { client, model, table } = this.operation.getOperation();
+    const log = (0, import_evlog.createRequestLogger)();
+    log.set({
+      op: "encryptModel",
+      table: table.tableName,
+      lockContext: true
+    });
+    const result = await (0, import_result9.withResult)(
+      async () => {
+        if (!client) {
+          throw noClientError();
+        }
+        const context = await this.lockContext.getLockContext();
+        if (context.failure) {
+          throw new Error(`[encryption]: ${context.failure.message}`);
+        }
+        const auditData = this.getAuditData();
+        return await encryptModelFieldsWithLockContext(
+          model,
+          table,
+          client,
+          context.data,
+          auditData
+        );
+      },
+      (error) => {
+        log.set({ errorCode: getErrorCode(error) ?? "unknown" });
+        return {
+          type: EncryptionErrorTypes.EncryptionError,
+          message: error.message,
+          code: getErrorCode(error)
+        };
+      }
+    );
+    log.emit();
+    return result;
+  }
+};
+
+// src/encryption/ffi/operations/encrypt-query.ts
+var import_result10 = require("@byteslice/result");
+var import_protect_ffi8 = require("@cipherstash/protect-ffi");
+var EncryptQueryOperation = class extends EncryptionOperation {
+  constructor(client, plaintext, opts) {
+    super();
+    this.client = client;
+    this.plaintext = plaintext;
+    this.opts = opts;
+  }
+  withLockContext(lockContext) {
+    return new EncryptQueryOperationWithLockContext(
+      this.client,
+      this.plaintext,
+      this.opts,
+      lockContext,
+      this.auditMetadata
+    );
+  }
+  async execute() {
+    const log = (0, import_evlog.createRequestLogger)();
+    log.set({
+      op: "encryptQuery",
+      table: this.opts.table.tableName,
+      column: this.opts.column.getName(),
+      queryType: this.opts.queryType,
+      lockContext: false
+    });
+    if (this.plaintext === null || this.plaintext === void 0) {
+      log.emit();
+      return { data: null };
+    }
+    const validationError = validateNumericValue(this.plaintext);
+    if (validationError?.failure) {
+      log.emit();
+      return { failure: validationError.failure };
+    }
+    const result = await (0, import_result10.withResult)(
+      async () => {
+        if (!this.client) throw noClientError();
+        const { metadata } = this.getAuditData();
+        const { indexType, queryOp } = resolveIndexType(
+          this.opts.column,
+          this.opts.queryType,
+          this.plaintext
+        );
+        assertValueIndexCompatibility(
+          this.plaintext,
+          indexType,
+          this.opts.column.getName()
+        );
+        const encrypted = await (0, import_protect_ffi8.encryptQuery)(this.client, {
+          plaintext: this.plaintext,
+          column: this.opts.column.getName(),
+          table: this.opts.table.tableName,
+          indexType,
+          queryOp,
+          unverifiedContext: metadata
+        });
+        return formatEncryptedResult(encrypted, this.opts.returnType);
+      },
+      (error) => {
+        log.set({ errorCode: getErrorCode(error) ?? "unknown" });
+        return {
+          type: EncryptionErrorTypes.EncryptionError,
+          message: error.message,
+          code: getErrorCode(error)
+        };
+      }
+    );
+    log.emit();
+    return result;
+  }
+  getOperation() {
+    return { client: this.client, plaintext: this.plaintext, ...this.opts };
+  }
+};
+var EncryptQueryOperationWithLockContext = class extends EncryptionOperation {
+  constructor(client, plaintext, opts, lockContext, auditMetadata) {
+    super();
+    this.client = client;
+    this.plaintext = plaintext;
+    this.opts = opts;
+    this.lockContext = lockContext;
+    this.auditMetadata = auditMetadata;
+  }
+  async execute() {
+    const log = (0, import_evlog.createRequestLogger)();
+    log.set({
+      op: "encryptQuery",
+      table: this.opts.table.tableName,
+      column: this.opts.column.getName(),
+      queryType: this.opts.queryType,
+      lockContext: true
+    });
+    if (this.plaintext === null || this.plaintext === void 0) {
+      log.emit();
+      return { data: null };
+    }
+    const validationError = validateNumericValue(this.plaintext);
+    if (validationError?.failure) {
+      log.emit();
+      return { failure: validationError.failure };
+    }
+    const lockContextResult = await this.lockContext.getLockContext();
+    if (lockContextResult.failure) {
+      log.emit();
+      return { failure: lockContextResult.failure };
+    }
+    const { ctsToken, context } = lockContextResult.data;
+    const result = await (0, import_result10.withResult)(
+      async () => {
+        if (!this.client) throw noClientError();
+        const { metadata } = this.getAuditData();
+        const { indexType, queryOp } = resolveIndexType(
+          this.opts.column,
+          this.opts.queryType,
+          this.plaintext
+        );
+        assertValueIndexCompatibility(
+          this.plaintext,
+          indexType,
+          this.opts.column.getName()
+        );
+        const encrypted = await (0, import_protect_ffi8.encryptQuery)(this.client, {
+          plaintext: this.plaintext,
+          column: this.opts.column.getName(),
+          table: this.opts.table.tableName,
+          indexType,
+          queryOp,
+          lockContext: context,
+          serviceToken: ctsToken,
+          unverifiedContext: metadata
+        });
+        return formatEncryptedResult(encrypted, this.opts.returnType);
+      },
+      (error) => {
+        log.set({ errorCode: getErrorCode(error) ?? "unknown" });
+        return {
+          type: EncryptionErrorTypes.EncryptionError,
+          message: error.message,
+          code: getErrorCode(error)
+        };
+      }
+    );
+    log.emit();
+    return result;
+  }
+};
+
+// src/encryption/ffi/index.ts
+var noClientError = () => new Error(
+  "The EQL client has not been initialized. Please call init() before using the client."
+);
+var EncryptionClient = class {
+  client;
+  encryptConfig;
+  workspaceId;
+  constructor(workspaceCrn) {
+    const workspaceId = loadWorkSpaceId(workspaceCrn);
+    this.workspaceId = workspaceId;
+  }
+  /**
+   * Initializes the EncryptionClient with the provided configuration.
+   * @internal
+   * @param config - The configuration object for initializing the client.
+   * @returns A promise that resolves to a {@link Result} containing the initialized EncryptionClient or an {@link EncryptionError}.
+   **/
+  async init(config) {
+    return await (0, import_result11.withResult)(
+      async () => {
+        const validated = encryptConfigSchema.parse(
+          config.encryptConfig
+        );
+        logger.debug(
+          "Initializing the Protect.js client with the following encrypt config:",
+          {
+            encryptConfig: validated
+          }
+        );
+        this.client = await (0, import_protect_ffi9.newClient)({
+          encryptConfig: validated,
+          clientOpts: {
+            workspaceCrn: config.workspaceCrn,
+            accessKey: config.accessKey,
+            clientId: config.clientId,
+            clientKey: config.clientKey,
+            keyset: toFfiKeysetIdentifier(config.keyset)
+          }
+        });
+        this.encryptConfig = validated;
+        logger.debug("Successfully initialized the Protect.js client.");
+        return this;
+      },
+      (error) => ({
+        type: EncryptionErrorTypes.ClientInitError,
+        message: error.message
+      })
+    );
+  }
+  /**
+   * Encrypt a value - returns a promise which resolves to an encrypted value.
+   *
+   * @param plaintext - The plaintext value to be encrypted. Can be null.
+   * @param opts - Options specifying the column and table for encryption.
+   * @returns An EncryptOperation that can be awaited or chained with additional methods.
+   *
+   * @example
+   * The following example demonstrates how to encrypt a value using the Encryption client.
+   * It includes defining an encryption schema with {@link encryptedTable} and {@link encryptedColumn},
+   * initializing the client with {@link Encryption}, and performing the encryption.
+   *
+   * `encrypt` returns an {@link EncryptOperation} which can be awaited to get a {@link Result}
+   * which can either be the encrypted value or an {@link EncryptionError}.
+   *
+   * ```typescript
+   * // Define encryption schema
+   * import { Encryption } from "@cipherstash/stack"
+   * import { encryptedTable, encryptedColumn } from "@cipherstash/stack/schema"
+   * const userSchema = encryptedTable("users", {
+   *  email: encryptedColumn("email"),
+   * });
+   *
+   * // Initialize Encryption client
+   * const client = await Encryption({ schemas: [userSchema] })
+   *
+   * // Encrypt a value
+   * const encryptedResult = await client.encrypt(
+   *  "person@example.com",
+   *  { column: userSchema.email, table: userSchema }
+   * )
+   *
+   * // Handle encryption result
+   * if (encryptedResult.failure) {
+   *   throw new Error(`Encryption failed: ${encryptedResult.failure.message}`);
+   * }
+   *
+   * console.log("Encrypted data:", encryptedResult.data);
+   * ```
+   *
+   * @example
+   * When encrypting data, a {@link LockContext} can be provided to tie the encryption to a specific user or session.
+   * This ensures that the same lock context is required for decryption.
+   *
+   * The following example demonstrates how to create a lock context using a user's JWT token
+   * and use it during encryption.
+   *
+   * ```typescript
+   * // Define encryption schema and initialize client as above
+   *
+   * // Create a lock for the user's `sub` claim from their JWT
+   * const lc = new LockContext();
+   * const lockContext = await lc.identify(userJwt);
+   *
+   * if (lockContext.failure) {
+   *   // Handle the failure
+   * }
+   *
+   * // Encrypt a value with the lock context
+   * // Decryption will then require the same lock context
+   * const encryptedResult = await client.encrypt(
+   *  "person@example.com",
+   *  { column: userSchema.email, table: userSchema }
+   * )
+   *  .withLockContext(lockContext)
+   * ```
+   *
+   * @see {@link Result}
+   * @see {@link encryptedTable}
+   * @see {@link LockContext}
+   * @see {@link EncryptOperation}
+   */
+  encrypt(plaintext, opts) {
+    return new EncryptOperation(this.client, plaintext, opts);
+  }
+  encryptQuery(plaintextOrTerms, opts) {
+    if (isScalarQueryTermArray(plaintextOrTerms)) {
+      return new BatchEncryptQueryOperation(this.client, plaintextOrTerms);
+    }
+    if (Array.isArray(plaintextOrTerms) && plaintextOrTerms.length === 0 && !opts) {
+      return new BatchEncryptQueryOperation(
+        this.client,
+        []
+      );
+    }
+    if (!opts) {
+      throw new Error("EncryptQueryOptions are required");
+    }
+    return new EncryptQueryOperation(
+      this.client,
+      plaintextOrTerms,
+      opts
+    );
+  }
+  /**
+   * Decryption - returns a promise which resolves to a decrypted value.
+   *
+   * @param encryptedData - The encrypted data to be decrypted.
+   * @returns A DecryptOperation that can be awaited or chained with additional methods.
+   *
+   * @example
+   * The following example demonstrates how to decrypt a value that was previously encrypted using the {@link encrypt} method.
+   * It includes encrypting a value first, then decrypting it, and handling the result.
+   *
+   * ```typescript
+   * const encryptedData = await client.encrypt(
+   *  "person@example.com",
+   *  { column: "email", table: "users" }
+   * )
+   * const decryptResult = await client.decrypt(encryptedData)
+   * if (decryptResult.failure) {
+   *   throw new Error(`Decryption failed: ${decryptResult.failure.message}`);
+   * }
+   * console.log("Decrypted data:", decryptResult.data);
+   * ```
+   *
+   * @example
+   * Provide a lock context when decrypting:
+   * ```typescript
+   *    await client.decrypt(encryptedData)
+   *      .withLockContext(lockContext)
+   * ```
+   *
+   * @see {@link LockContext}
+   * @see {@link DecryptOperation}
+   */
+  decrypt(encryptedData) {
+    return new DecryptOperation(this.client, encryptedData);
+  }
+  /**
+   * Encrypt a model (object) based on the table schema.
+   *
+   * Only fields whose keys match columns defined in the table schema are encrypted.
+   * All other fields are passed through unchanged. Returns a thenable operation
+   * that supports `.withLockContext()` for identity-aware encryption.
+   *
+   * @param input - The model object with plaintext values to encrypt.
+   * @param table - The table schema defining which fields to encrypt.
+   * @returns An `EncryptModelOperation<T>` that can be awaited to get a `Result`
+   *   containing the model with encrypted fields, or an `EncryptionError`.
+   *
+   * @example
+   * ```typescript
+   * import { Encryption } from "@cipherstash/stack"
+   * import { encryptedTable, encryptedColumn } from "@cipherstash/stack/schema"
+   *
+   * type User = { id: string; email: string; createdAt: Date }
+   *
+   * const usersSchema = encryptedTable("users", {
+   *   email: encryptedColumn("email").equality(),
+   * })
+   *
+   * const client = await Encryption({ schemas: [usersSchema] })
+   *
+   * const result = await client.encryptModel<User>(
+   *   { id: "user_123", email: "alice@example.com", createdAt: new Date() },
+   *   usersSchema,
+   * )
+   *
+   * if (result.failure) {
+   *   console.error(result.failure.message)
+   * } else {
+   *   // result.data.id is unchanged, result.data.email is encrypted
+   *   console.log(result.data)
+   * }
+   * ```
+   */
+  encryptModel(input, table) {
+    return new EncryptModelOperation(this.client, input, table);
+  }
+  /**
+   * Decrypt a model (object) whose fields contain encrypted values.
+   *
+   * Identifies encrypted fields automatically and decrypts them, returning the
+   * model with plaintext values. Returns a thenable operation that supports
+   * `.withLockContext()` for identity-aware decryption.
+   *
+   * @param input - The model object with encrypted field values.
+   * @returns A `DecryptModelOperation<T>` that can be awaited to get a `Result`
+   *   containing the model with decrypted plaintext fields, or an `EncryptionError`.
+   *
+   * @example
+   * ```typescript
+   * // Decrypt a previously encrypted model
+   * const decrypted = await client.decryptModel<User>(encryptedUser)
+   *
+   * if (decrypted.failure) {
+   *   console.error(decrypted.failure.message)
+   * } else {
+   *   console.log(decrypted.data.email) // "alice@example.com"
+   * }
+   *
+   * // With a lock context
+   * const decrypted = await client
+   *   .decryptModel<User>(encryptedUser)
+   *   .withLockContext(lockContext)
+   * ```
+   */
+  decryptModel(input) {
+    return new DecryptModelOperation(this.client, input);
+  }
+  /**
+   * Encrypt multiple models (objects) in a single bulk operation.
+   *
+   * Performs a single call to ZeroKMS regardless of the number of models,
+   * while still using a unique key for each encrypted value. Only fields
+   * matching the table schema are encrypted; other fields pass through unchanged.
+   *
+   * @param input - An array of model objects with plaintext values to encrypt.
+   * @param table - The table schema defining which fields to encrypt.
+   * @returns A `BulkEncryptModelsOperation<T>` that can be awaited to get a `Result`
+   *   containing an array of models with encrypted fields, or an `EncryptionError`.
+   *
+   * @example
+   * ```typescript
+   * import { Encryption } from "@cipherstash/stack"
+   * import { encryptedTable, encryptedColumn } from "@cipherstash/stack/schema"
+   *
+   * type User = { id: string; email: string }
+   *
+   * const usersSchema = encryptedTable("users", {
+   *   email: encryptedColumn("email"),
+   * })
+   *
+   * const client = await Encryption({ schemas: [usersSchema] })
+   *
+   * const result = await client.bulkEncryptModels<User>(
+   *   [
+   *     { id: "1", email: "alice@example.com" },
+   *     { id: "2", email: "bob@example.com" },
+   *   ],
+   *   usersSchema,
+   * )
+   *
+   * if (!result.failure) {
+   *   console.log(result.data) // array of models with encrypted email fields
+   * }
+   * ```
+   */
+  bulkEncryptModels(input, table) {
+    return new BulkEncryptModelsOperation(this.client, input, table);
+  }
+  /**
+   * Decrypt multiple models (objects) in a single bulk operation.
+   *
+   * Performs a single call to ZeroKMS regardless of the number of models,
+   * restoring all encrypted fields to their original plaintext values.
+   *
+   * @param input - An array of model objects with encrypted field values.
+   * @returns A `BulkDecryptModelsOperation<T>` that can be awaited to get a `Result`
+   *   containing an array of models with decrypted plaintext fields, or an `EncryptionError`.
+   *
+   * @example
+   * ```typescript
+   * const encryptedUsers = encryptedResult.data // from bulkEncryptModels
+   *
+   * const result = await client.bulkDecryptModels<User>(encryptedUsers)
+   *
+   * if (!result.failure) {
+   *   for (const user of result.data) {
+   *     console.log(user.email) // plaintext email
+   *   }
+   * }
+   *
+   * // With a lock context
+   * const result = await client
+   *   .bulkDecryptModels<User>(encryptedUsers)
+   *   .withLockContext(lockContext)
+   * ```
+   */
+  bulkDecryptModels(input) {
+    return new BulkDecryptModelsOperation(this.client, input);
+  }
+  /**
+   * Encrypt multiple plaintext values in a single bulk operation.
+   *
+   * Each value is encrypted with its own unique key via a single call to ZeroKMS.
+   * Values can include optional `id` fields for correlating results back to
+   * your application data. Null plaintext values are preserved as null.
+   *
+   * @param plaintexts - An array of objects with `plaintext` (and optional `id`) fields.
+   * @param opts - Options specifying the target column and table for encryption.
+   * @returns A `BulkEncryptOperation` that can be awaited to get a `Result`
+   *   containing an array of `{ id?, data: Encrypted }` objects, or an `EncryptionError`.
+   *
+   * @example
+   * ```typescript
+   * import { Encryption } from "@cipherstash/stack"
+   * import { encryptedTable, encryptedColumn } from "@cipherstash/stack/schema"
+   *
+   * const users = encryptedTable("users", {
+   *   email: encryptedColumn("email"),
+   * })
+   * const client = await Encryption({ schemas: [users] })
+   *
+   * const result = await client.bulkEncrypt(
+   *   [
+   *     { id: "u1", plaintext: "alice@example.com" },
+   *     { id: "u2", plaintext: "bob@example.com" },
+   *     { id: "u3", plaintext: null },
+   *   ],
+   *   { column: users.email, table: users },
+   * )
+   *
+   * if (!result.failure) {
+   *   // result.data = [{ id: "u1", data: Encrypted }, { id: "u2", data: Encrypted }, ...]
+   *   console.log(result.data)
+   * }
+   * ```
+   */
+  bulkEncrypt(plaintexts, opts) {
+    return new BulkEncryptOperation(this.client, plaintexts, opts);
+  }
+  /**
+   * Decrypt multiple encrypted values in a single bulk operation.
+   *
+   * Performs a single call to ZeroKMS to decrypt all values. The result uses
+   * a multi-status pattern: each item in the returned array has either a `data`
+   * field (success) or an `error` field (failure), allowing graceful handling
+   * of partial failures.
+   *
+   * @param encryptedPayloads - An array of objects with `data` (encrypted payload) and optional `id` fields.
+   * @returns A `BulkDecryptOperation` that can be awaited to get a `Result`
+   *   containing an array of `{ id?, data: plaintext }` or `{ id?, error: string }` objects,
+   *   or an `EncryptionError` if the entire operation fails.
+   *
+   * @example
+   * ```typescript
+   * const encrypted = await client.bulkEncrypt(plaintexts, { column: users.email, table: users })
+   *
+   * const result = await client.bulkDecrypt(encrypted.data)
+   *
+   * if (!result.failure) {
+   *   for (const item of result.data) {
+   *     if ("data" in item) {
+   *       console.log(`${item.id}: ${item.data}`)
+   *     } else {
+   *       console.error(`${item.id} failed: ${item.error}`)
+   *     }
+   *   }
+   * }
+   * ```
+   */
+  bulkDecrypt(encryptedPayloads) {
+    return new BulkDecryptOperation(this.client, encryptedPayloads);
+  }
+  /** e.g., debugging or environment info */
+  clientInfo() {
+    return {
+      workspaceId: this.workspaceId
+    };
+  }
+};
+
+// src/index.ts
+function isValidUuid(uuid) {
+  const uuidRegex = /^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$/i;
+  return uuidRegex.test(uuid);
+}
+var Encryption = async (config) => {
+  if (config.logging) {
+    initStackLogger(config.logging);
+  }
+  const { schemas, config: clientConfig } = config;
+  if (!schemas.length) {
+    throw new Error(
+      "[encryption]: At least one encryptedTable must be provided to initialize the encryption client"
+    );
+  }
+  if (clientConfig?.keyset && "id" in clientConfig.keyset && !isValidUuid(clientConfig.keyset.id)) {
+    throw new Error(
+      "[encryption]: Invalid UUID provided for keyset id. Must be a valid UUID."
+    );
+  }
+  const client = new EncryptionClient(clientConfig?.workspaceCrn);
+  const encryptConfig = buildEncryptConfig(...schemas);
+  const result = await client.init({
+    encryptConfig,
+    ...clientConfig
+  });
+  if (result.failure) {
+    throw new Error(`[encryption]: ${result.failure.message}`);
+  }
+  return result.data;
+};
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  Encryption,
+  EncryptionErrorTypes,
+  encryptedColumn,
+  encryptedTable,
+  encryptedValue,
+  getErrorMessage
+});
+//# sourceMappingURL=index.cjs.map