@cipherstash/stack 0.1.0

package/dist/supabase/index.cjs

@@ -0,0 +1,1113 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/supabase/index.ts
+var supabase_exports = {};
+__export(supabase_exports, {
+  encryptedSupabase: () => encryptedSupabase
+});
+module.exports = __toCommonJS(supabase_exports);
+
+// src/encryption/helpers/index.ts
+function encryptedToPgComposite(obj) {
+  return {
+    data: obj
+  };
+}
+function modelToEncryptedPgComposites(model) {
+  const result = {};
+  for (const [key, value] of Object.entries(model)) {
+    if (isEncryptedPayload(value)) {
+      result[key] = encryptedToPgComposite(value);
+    } else {
+      result[key] = value;
+    }
+  }
+  return result;
+}
+function bulkModelsToEncryptedPgComposites(models) {
+  return models.map((model) => modelToEncryptedPgComposites(model));
+}
+function isEncryptedPayload(value) {
+  if (value === null) return false;
+  if (typeof value !== "object") return false;
+  const obj = value;
+  if (!("v" in obj) || typeof obj.v !== "number") return false;
+  if (!("i" in obj) || typeof obj.i !== "object") return false;
+  if (!("c" in obj) && !("sv" in obj)) return false;
+  return true;
+}
+
+// src/schema/index.ts
+var import_zod = require("zod");
+var castAsEnum = import_zod.z.enum(["bigint", "boolean", "date", "number", "string", "json"]).default("string");
+var tokenFilterSchema = import_zod.z.object({
+  kind: import_zod.z.literal("downcase")
+});
+var tokenizerSchema = import_zod.z.union([
+  import_zod.z.object({
+    kind: import_zod.z.literal("standard")
+  }),
+  import_zod.z.object({
+    kind: import_zod.z.literal("ngram"),
+    token_length: import_zod.z.number()
+  })
+]).default({ kind: "ngram", token_length: 3 }).optional();
+var oreIndexOptsSchema = import_zod.z.object({});
+var uniqueIndexOptsSchema = import_zod.z.object({
+  token_filters: import_zod.z.array(tokenFilterSchema).default([]).optional()
+});
+var matchIndexOptsSchema = import_zod.z.object({
+  tokenizer: tokenizerSchema,
+  token_filters: import_zod.z.array(tokenFilterSchema).default([]).optional(),
+  k: import_zod.z.number().default(6).optional(),
+  m: import_zod.z.number().default(2048).optional(),
+  include_original: import_zod.z.boolean().default(false).optional()
+});
+var steVecIndexOptsSchema = import_zod.z.object({
+  prefix: import_zod.z.string()
+});
+var indexesSchema = import_zod.z.object({
+  ore: oreIndexOptsSchema.optional(),
+  unique: uniqueIndexOptsSchema.optional(),
+  match: matchIndexOptsSchema.optional(),
+  ste_vec: steVecIndexOptsSchema.optional()
+}).default({});
+var columnSchema = import_zod.z.object({
+  cast_as: castAsEnum,
+  indexes: indexesSchema
+}).default({});
+var tableSchema = import_zod.z.record(columnSchema).default({});
+var tablesSchema = import_zod.z.record(tableSchema).default({});
+var encryptConfigSchema = import_zod.z.object({
+  v: import_zod.z.number(),
+  tables: tablesSchema
+});
+var ProtectColumn = class {
+  columnName;
+  castAsValue;
+  indexesValue = {};
+  constructor(columnName) {
+    this.columnName = columnName;
+    this.castAsValue = "string";
+  }
+  /**
+   * Set or override the plaintext data type for this column.
+   *
+   * By default all columns are treated as `'string'`. Use this method to specify
+   * a different type so the encryption layer knows how to encode the plaintext
+   * before encrypting.
+   *
+   * @param castAs - The plaintext data type: `'string'`, `'number'`, `'boolean'`, `'date'`, `'bigint'`, or `'json'`.
+   * @returns This `ProtectColumn` instance for method chaining.
+   *
+   * @example
+   * ```typescript
+   * import { encryptedColumn } from "@cipherstash/stack/schema"
+   *
+   * const dateOfBirth = encryptedColumn("date_of_birth").dataType("date")
+   * ```
+   */
+  dataType(castAs) {
+    this.castAsValue = castAs;
+    return this;
+  }
+  /**
+   * Enable Order-Revealing Encryption (ORE) indexing on this column.
+   *
+   * ORE allows sorting, comparison, and range queries on encrypted data.
+   * Use with `encryptQuery` and `queryType: 'orderAndRange'`.
+   *
+   * @returns This `ProtectColumn` instance for method chaining.
+   *
+   * @example
+   * ```typescript
+   * import { encryptedTable, encryptedColumn } from "@cipherstash/stack/schema"
+   *
+   * const users = encryptedTable("users", {
+   *   email: encryptedColumn("email").orderAndRange(),
+   * })
+   * ```
+   */
+  orderAndRange() {
+    this.indexesValue.ore = {};
+    return this;
+  }
+  /**
+   * Enable an exact-match (unique) index on this column.
+   *
+   * Allows equality queries on encrypted data. Use with `encryptQuery`
+   * and `queryType: 'equality'`.
+   *
+   * @param tokenFilters - Optional array of token filters (e.g. `[{ kind: 'downcase' }]`).
+   *   When omitted, no token filters are applied.
+   * @returns This `ProtectColumn` instance for method chaining.
+   *
+   * @example
+   * ```typescript
+   * import { encryptedTable, encryptedColumn } from "@cipherstash/stack/schema"
+   *
+   * const users = encryptedTable("users", {
+   *   email: encryptedColumn("email").equality(),
+   * })
+   * ```
+   */
+  equality(tokenFilters) {
+    this.indexesValue.unique = {
+      token_filters: tokenFilters ?? []
+    };
+    return this;
+  }
+  /**
+   * Enable a full-text / fuzzy search (match) index on this column.
+   *
+   * Uses n-gram tokenization by default for substring and fuzzy matching.
+   * Use with `encryptQuery` and `queryType: 'freeTextSearch'`.
+   *
+   * @param opts - Optional match index configuration. Defaults to 3-character ngram
+   *   tokenization with a downcase filter, `k=6`, `m=2048`, and `include_original=true`.
+   * @returns This `ProtectColumn` instance for method chaining.
+   *
+   * @example
+   * ```typescript
+   * import { encryptedTable, encryptedColumn } from "@cipherstash/stack/schema"
+   *
+   * const users = encryptedTable("users", {
+   *   email: encryptedColumn("email").freeTextSearch(),
+   * })
+   *
+   * // With custom options
+   * const posts = encryptedTable("posts", {
+   *   body: encryptedColumn("body").freeTextSearch({
+   *     tokenizer: { kind: "ngram", token_length: 4 },
+   *     k: 8,
+   *     m: 4096,
+   *   }),
+   * })
+   * ```
+   */
+  freeTextSearch(opts) {
+    this.indexesValue.match = {
+      tokenizer: opts?.tokenizer ?? { kind: "ngram", token_length: 3 },
+      token_filters: opts?.token_filters ?? [
+        {
+          kind: "downcase"
+        }
+      ],
+      k: opts?.k ?? 6,
+      m: opts?.m ?? 2048,
+      include_original: opts?.include_original ?? true
+    };
+    return this;
+  }
+  /**
+   * Configure this column for searchable encrypted JSON (STE-Vec).
+   *
+   * Enables encrypted JSONPath selector queries (e.g. `'$.user.email'`) and
+   * containment queries (e.g. `{ role: 'admin' }`). Automatically sets the
+   * data type to `'json'`.
+   *
+   * When used with `encryptQuery`, the query operation is auto-inferred from
+   * the plaintext type: strings become selector queries, objects/arrays become
+   * containment queries.
+   *
+   * @returns This `ProtectColumn` instance for method chaining.
+   *
+   * @example
+   * ```typescript
+   * import { encryptedTable, encryptedColumn } from "@cipherstash/stack/schema"
+   *
+   * const documents = encryptedTable("documents", {
+   *   metadata: encryptedColumn("metadata").searchableJson(),
+   * })
+   * ```
+   */
+  searchableJson() {
+    this.castAsValue = "json";
+    this.indexesValue.ste_vec = { prefix: "enabled" };
+    return this;
+  }
+  build() {
+    return {
+      cast_as: this.castAsValue,
+      indexes: this.indexesValue
+    };
+  }
+  getName() {
+    return this.columnName;
+  }
+};
+
+// src/supabase/helpers.ts
+function getEncryptedColumnNames(schema) {
+  const built = schema.build();
+  return Object.keys(built.columns);
+}
+function isEncryptedColumn(columnName, encryptedColumnNames) {
+  return encryptedColumnNames.includes(columnName);
+}
+function addJsonbCasts(columns, encryptedColumnNames) {
+  return columns.split(",").map((col) => {
+    const trimmed = col.trim();
+    if (!trimmed) return col;
+    if (trimmed.includes("::")) return col;
+    if (trimmed.includes("(") || trimmed.includes(".")) return col;
+    const parts = trimmed.split(/\s+/);
+    const colName = parts[0];
+    if (isEncryptedColumn(colName, encryptedColumnNames)) {
+      const leadingWhitespace = col.match(/^(\s*)/)?.[1] ?? "";
+      if (parts.length > 1) {
+        return `${leadingWhitespace}${colName}::jsonb ${parts.slice(1).join(" ")}`;
+      }
+      return `${leadingWhitespace}${colName}::jsonb`;
+    }
+    return col;
+  }).join(",");
+}
+function mapFilterOpToQueryType(op) {
+  switch (op) {
+    case "eq":
+    case "neq":
+    case "in":
+    case "is":
+      return "equality";
+    case "like":
+    case "ilike":
+      return "freeTextSearch";
+    case "gt":
+    case "gte":
+    case "lt":
+    case "lte":
+      return "orderAndRange";
+    default:
+      return "equality";
+  }
+}
+function parseOrString(orString) {
+  const conditions = [];
+  const parts = splitOrString(orString);
+  for (const part of parts) {
+    const trimmed = part.trim();
+    if (!trimmed) continue;
+    const firstDot = trimmed.indexOf(".");
+    if (firstDot === -1) continue;
+    const column = trimmed.slice(0, firstDot);
+    const rest = trimmed.slice(firstDot + 1);
+    const secondDot = rest.indexOf(".");
+    if (secondDot === -1) continue;
+    const op = rest.slice(0, secondDot);
+    const value = rest.slice(secondDot + 1);
+    const parsedValue = parseOrValue(value);
+    conditions.push({ column, op, value: parsedValue });
+  }
+  return conditions;
+}
+function rebuildOrString(conditions) {
+  return conditions.map((c) => {
+    const value = formatOrValue(c.value);
+    return `${c.column}.${c.op}.${value}`;
+  }).join(",");
+}
+function splitOrString(input) {
+  const parts = [];
+  let current = "";
+  let depth = 0;
+  for (const char of input) {
+    if (char === "(") {
+      depth++;
+      current += char;
+    } else if (char === ")") {
+      depth--;
+      current += char;
+    } else if (char === "," && depth === 0) {
+      parts.push(current);
+      current = "";
+    } else {
+      current += char;
+    }
+  }
+  if (current) {
+    parts.push(current);
+  }
+  return parts;
+}
+function parseOrValue(value) {
+  if (value.startsWith("(") && value.endsWith(")")) {
+    return value.slice(1, -1).split(",").map((v) => v.trim());
+  }
+  if (value === "true") return true;
+  if (value === "false") return false;
+  if (value === "null") return null;
+  return value;
+}
+function formatOrValue(value) {
+  if (Array.isArray(value)) {
+    return `(${value.join(",")})`;
+  }
+  if (value === null) return "null";
+  if (value === true) return "true";
+  if (value === false) return "false";
+  return String(value);
+}
+
+// src/supabase/query-builder.ts
+var EncryptedQueryBuilderImpl = class {
+  tableName;
+  schema;
+  encryptionClient;
+  supabaseClient;
+  encryptedColumnNames;
+  // Recorded operations
+  mutation = null;
+  selectColumns = null;
+  selectOptions = void 0;
+  filters = [];
+  orFilters = [];
+  matchFilters = [];
+  notFilters = [];
+  rawFilters = [];
+  transforms = [];
+  resultMode = "array";
+  shouldThrowOnError = false;
+  // Encryption-specific state
+  lockContext = null;
+  auditConfig = null;
+  constructor(tableName, schema, encryptionClient, supabaseClient) {
+    this.tableName = tableName;
+    this.schema = schema;
+    this.encryptionClient = encryptionClient;
+    this.supabaseClient = supabaseClient;
+    this.encryptedColumnNames = getEncryptedColumnNames(schema);
+  }
+  // ---------------------------------------------------------------------------
+  // Mutation methods
+  // ---------------------------------------------------------------------------
+  select(columns, options) {
+    if (columns === "*") {
+      throw new Error(
+        "encryptedSupabase does not support select('*'). Please list columns explicitly so that encrypted columns can be cast with ::jsonb."
+      );
+    }
+    this.selectColumns = columns;
+    this.selectOptions = options;
+    return this;
+  }
+  insert(data, options) {
+    this.mutation = {
+      kind: "insert",
+      data,
+      options
+    };
+    return this;
+  }
+  update(data, options) {
+    this.mutation = {
+      kind: "update",
+      data,
+      options
+    };
+    return this;
+  }
+  upsert(data, options) {
+    this.mutation = {
+      kind: "upsert",
+      data,
+      options
+    };
+    return this;
+  }
+  delete(options) {
+    this.mutation = { kind: "delete", options };
+    return this;
+  }
+  // ---------------------------------------------------------------------------
+  // Filter methods
+  // ---------------------------------------------------------------------------
+  eq(column, value) {
+    this.filters.push({ op: "eq", column, value });
+    return this;
+  }
+  neq(column, value) {
+    this.filters.push({ op: "neq", column, value });
+    return this;
+  }
+  gt(column, value) {
+    this.filters.push({ op: "gt", column, value });
+    return this;
+  }
+  gte(column, value) {
+    this.filters.push({ op: "gte", column, value });
+    return this;
+  }
+  lt(column, value) {
+    this.filters.push({ op: "lt", column, value });
+    return this;
+  }
+  lte(column, value) {
+    this.filters.push({ op: "lte", column, value });
+    return this;
+  }
+  like(column, pattern) {
+    this.filters.push({ op: "like", column, value: pattern });
+    return this;
+  }
+  ilike(column, pattern) {
+    this.filters.push({ op: "ilike", column, value: pattern });
+    return this;
+  }
+  is(column, value) {
+    this.filters.push({ op: "is", column, value });
+    return this;
+  }
+  in(column, values) {
+    this.filters.push({ op: "in", column, value: values });
+    return this;
+  }
+  filter(column, operator, value) {
+    this.rawFilters.push({ column, operator, value });
+    return this;
+  }
+  not(column, operator, value) {
+    this.notFilters.push({ column, op: operator, value });
+    return this;
+  }
+  or(filtersOrConditions, options) {
+    if (typeof filtersOrConditions === "string") {
+      this.orFilters.push({
+        kind: "string",
+        value: filtersOrConditions,
+        referencedTable: options?.referencedTable ?? options?.foreignTable
+      });
+    } else {
+      this.orFilters.push({
+        kind: "structured",
+        conditions: filtersOrConditions
+      });
+    }
+    return this;
+  }
+  match(query) {
+    this.matchFilters.push({ query });
+    return this;
+  }
+  // ---------------------------------------------------------------------------
+  // Transform methods (passthrough)
+  // ---------------------------------------------------------------------------
+  order(column, options) {
+    this.transforms.push({ kind: "order", column, options });
+    return this;
+  }
+  limit(count, options) {
+    this.transforms.push({ kind: "limit", count, options });
+    return this;
+  }
+  range(from, to, options) {
+    this.transforms.push({ kind: "range", from, to, options });
+    return this;
+  }
+  single() {
+    this.resultMode = "single";
+    this.transforms.push({ kind: "single" });
+    return this;
+  }
+  maybeSingle() {
+    this.resultMode = "maybeSingle";
+    this.transforms.push({ kind: "maybeSingle" });
+    return this;
+  }
+  csv() {
+    this.transforms.push({ kind: "csv" });
+    return this;
+  }
+  abortSignal(signal) {
+    this.transforms.push({ kind: "abortSignal", signal });
+    return this;
+  }
+  throwOnError() {
+    this.shouldThrowOnError = true;
+    this.transforms.push({ kind: "throwOnError" });
+    return this;
+  }
+  returns() {
+    return this;
+  }
+  // ---------------------------------------------------------------------------
+  // Encryption-specific methods
+  // ---------------------------------------------------------------------------
+  withLockContext(lockContext) {
+    this.lockContext = lockContext;
+    return this;
+  }
+  audit(config) {
+    this.auditConfig = config;
+    return this;
+  }
+  // ---------------------------------------------------------------------------
+  // PromiseLike implementation (deferred execution)
+  // ---------------------------------------------------------------------------
+  then(onfulfilled, onrejected) {
+    return this.execute().then(onfulfilled, onrejected);
+  }
+  // ---------------------------------------------------------------------------
+  // Core execution
+  // ---------------------------------------------------------------------------
+  async execute() {
+    try {
+      const encryptedMutation = await this.encryptMutationData();
+      const selectString = this.buildSelectString();
+      const encryptedFilters = await this.encryptFilterValues();
+      const result = await this.buildAndExecuteQuery(
+        encryptedMutation,
+        selectString,
+        encryptedFilters
+      );
+      return await this.decryptResults(result);
+    } catch (err) {
+      const error = {
+        message: err instanceof Error ? err.message : String(err),
+        encryptionError: void 0
+      };
+      if (this.shouldThrowOnError) {
+        throw err;
+      }
+      return {
+        data: null,
+        error,
+        count: null,
+        status: 500,
+        statusText: "Encryption Error"
+      };
+    }
+  }
+  // ---------------------------------------------------------------------------
+  // Step 1: Encrypt mutation data
+  // ---------------------------------------------------------------------------
+  async encryptMutationData() {
+    if (!this.mutation) return null;
+    if (this.mutation.kind === "delete") return null;
+    const data = this.mutation.data;
+    if (Array.isArray(data)) {
+      const baseOp2 = this.encryptionClient.bulkEncryptModels(data, this.schema);
+      const op2 = this.lockContext ? baseOp2.withLockContext(this.lockContext) : baseOp2;
+      if (this.auditConfig) op2.audit(this.auditConfig);
+      const result2 = await op2;
+      if (result2.failure) {
+        throw new EncryptionFailedError(
+          `Failed to encrypt models: ${result2.failure.message}`,
+          result2.failure
+        );
+      }
+      return bulkModelsToEncryptedPgComposites(result2.data);
+    }
+    const baseOp = this.encryptionClient.encryptModel(data, this.schema);
+    const op = this.lockContext ? baseOp.withLockContext(this.lockContext) : baseOp;
+    if (this.auditConfig) op.audit(this.auditConfig);
+    const result = await op;
+    if (result.failure) {
+      throw new EncryptionFailedError(
+        `Failed to encrypt model: ${result.failure.message}`,
+        result.failure
+      );
+    }
+    return modelToEncryptedPgComposites(result.data);
+  }
+  // ---------------------------------------------------------------------------
+  // Step 2: Build select string with casts
+  // ---------------------------------------------------------------------------
+  buildSelectString() {
+    if (this.selectColumns === null) return null;
+    return addJsonbCasts(this.selectColumns, this.encryptedColumnNames);
+  }
+  // ---------------------------------------------------------------------------
+  // Step 3: Encrypt filter values
+  // ---------------------------------------------------------------------------
+  async encryptFilterValues() {
+    const terms = [];
+    const termMap = [];
+    const tableColumns = this.getColumnMap();
+    for (let i = 0; i < this.filters.length; i++) {
+      const f = this.filters[i];
+      if (!isEncryptedColumn(f.column, this.encryptedColumnNames)) continue;
+      const column = tableColumns[f.column];
+      if (!column) continue;
+      if (f.op === "in" && Array.isArray(f.value)) {
+        for (let j = 0; j < f.value.length; j++) {
+          terms.push({
+            value: f.value[j],
+            column,
+            table: this.schema,
+            queryType: mapFilterOpToQueryType(f.op),
+            returnType: "composite-literal"
+          });
+          termMap.push({ source: "filter", filterIndex: i, inIndex: j });
+        }
+      } else if (f.op === "is") {
+        continue;
+      } else {
+        terms.push({
+          value: f.value,
+          column,
+          table: this.schema,
+          queryType: mapFilterOpToQueryType(f.op),
+          returnType: "composite-literal"
+        });
+        termMap.push({ source: "filter", filterIndex: i });
+      }
+    }
+    for (let i = 0; i < this.matchFilters.length; i++) {
+      const mf = this.matchFilters[i];
+      for (const [colName, value] of Object.entries(mf.query)) {
+        if (!isEncryptedColumn(colName, this.encryptedColumnNames)) continue;
+        const column = tableColumns[colName];
+        if (!column) continue;
+        terms.push({
+          value,
+          column,
+          table: this.schema,
+          queryType: "equality",
+          returnType: "composite-literal"
+        });
+        termMap.push({ source: "match", matchIndex: i, column: colName });
+      }
+    }
+    for (let i = 0; i < this.notFilters.length; i++) {
+      const nf = this.notFilters[i];
+      if (!isEncryptedColumn(nf.column, this.encryptedColumnNames)) continue;
+      const column = tableColumns[nf.column];
+      if (!column) continue;
+      terms.push({
+        value: nf.value,
+        column,
+        table: this.schema,
+        queryType: mapFilterOpToQueryType(nf.op),
+        returnType: "composite-literal"
+      });
+      termMap.push({ source: "not", notIndex: i });
+    }
+    for (let i = 0; i < this.orFilters.length; i++) {
+      const of_ = this.orFilters[i];
+      if (of_.kind === "string") {
+        const parsed = parseOrString(of_.value);
+        for (let j = 0; j < parsed.length; j++) {
+          const cond = parsed[j];
+          if (!isEncryptedColumn(cond.column, this.encryptedColumnNames))
+            continue;
+          const column = tableColumns[cond.column];
+          if (!column) continue;
+          terms.push({
+            value: cond.value,
+            column,
+            table: this.schema,
+            queryType: mapFilterOpToQueryType(cond.op),
+            returnType: "composite-literal"
+          });
+          termMap.push({ source: "or-string", orIndex: i, conditionIndex: j });
+        }
+      } else {
+        for (let j = 0; j < of_.conditions.length; j++) {
+          const cond = of_.conditions[j];
+          if (!isEncryptedColumn(cond.column, this.encryptedColumnNames))
+            continue;
+          const column = tableColumns[cond.column];
+          if (!column) continue;
+          terms.push({
+            value: cond.value,
+            column,
+            table: this.schema,
+            queryType: mapFilterOpToQueryType(cond.op),
+            returnType: "composite-literal"
+          });
+          termMap.push({
+            source: "or-structured",
+            orIndex: i,
+            conditionIndex: j
+          });
+        }
+      }
+    }
+    for (let i = 0; i < this.rawFilters.length; i++) {
+      const rf = this.rawFilters[i];
+      if (!isEncryptedColumn(rf.column, this.encryptedColumnNames)) continue;
+      const column = tableColumns[rf.column];
+      if (!column) continue;
+      terms.push({
+        value: rf.value,
+        column,
+        table: this.schema,
+        queryType: "equality",
+        returnType: "composite-literal"
+      });
+      termMap.push({ source: "raw", rawIndex: i });
+    }
+    if (terms.length === 0) {
+      return { encryptedValues: [], termMap: [] };
+    }
+    const baseOp = this.encryptionClient.encryptQuery(terms);
+    const op = this.lockContext ? baseOp.withLockContext(this.lockContext) : baseOp;
+    if (this.auditConfig) op.audit(this.auditConfig);
+    const result = await op;
+    if (result.failure) {
+      throw new EncryptionFailedError(
+        `Failed to encrypt query terms: ${result.failure.message}`,
+        result.failure
+      );
+    }
+    return { encryptedValues: result.data, termMap };
+  }
+  // ---------------------------------------------------------------------------
+  // Step 4: Build and execute real Supabase query
+  // ---------------------------------------------------------------------------
+  async buildAndExecuteQuery(encryptedMutation, selectString, encryptedFilters) {
+    let query = this.supabaseClient.from(this.tableName);
+    if (this.mutation) {
+      switch (this.mutation.kind) {
+        case "insert":
+          query = query.insert(encryptedMutation, this.mutation.options);
+          break;
+        case "update":
+          query = query.update(encryptedMutation, this.mutation.options);
+          break;
+        case "upsert":
+          query = query.upsert(encryptedMutation, this.mutation.options);
+          break;
+        case "delete":
+          query = query.delete(this.mutation.options);
+          break;
+      }
+    }
+    if (selectString !== null) {
+      query = query.select(selectString, this.selectOptions);
+    } else if (!this.mutation) {
+      query = query.select("*", this.selectOptions);
+    }
+    query = this.applyFilters(query, encryptedFilters);
+    for (const t of this.transforms) {
+      switch (t.kind) {
+        case "order":
+          query = query.order(t.column, t.options);
+          break;
+        case "limit":
+          query = query.limit(t.count, t.options);
+          break;
+        case "range":
+          query = query.range(t.from, t.to, t.options);
+          break;
+        case "single":
+          query = query.single();
+          break;
+        case "maybeSingle":
+          query = query.maybeSingle();
+          break;
+        case "csv":
+          query = query.csv();
+          break;
+        case "abortSignal":
+          query = query.abortSignal(t.signal);
+          break;
+        case "throwOnError":
+          query = query.throwOnError();
+          break;
+      }
+    }
+    const result = await query;
+    return result;
+  }
+  // ---------------------------------------------------------------------------
+  // Apply filters with encrypted values substituted
+  // ---------------------------------------------------------------------------
+  applyFilters(query, encryptedFilters) {
+    let q = query;
+    const filterValueMap = /* @__PURE__ */ new Map();
+    const filterInMap = /* @__PURE__ */ new Map();
+    const matchValueMap = /* @__PURE__ */ new Map();
+    const notValueMap = /* @__PURE__ */ new Map();
+    const rawValueMap = /* @__PURE__ */ new Map();
+    const orStringConditionMap = /* @__PURE__ */ new Map();
+    const orStructuredConditionMap = /* @__PURE__ */ new Map();
+    for (let i = 0; i < encryptedFilters.termMap.length; i++) {
+      const mapping = encryptedFilters.termMap[i];
+      const encValue = encryptedFilters.encryptedValues[i];
+      switch (mapping.source) {
+        case "filter":
+          if (mapping.inIndex !== void 0) {
+            filterInMap.set(
+              `${mapping.filterIndex}:${mapping.inIndex}`,
+              encValue
+            );
+          } else {
+            filterValueMap.set(mapping.filterIndex, encValue);
+          }
+          break;
+        case "match":
+          matchValueMap.set(`${mapping.matchIndex}:${mapping.column}`, encValue);
+          break;
+        case "not":
+          notValueMap.set(mapping.notIndex, encValue);
+          break;
+        case "raw":
+          rawValueMap.set(mapping.rawIndex, encValue);
+          break;
+        case "or-string":
+          orStringConditionMap.set(
+            `${mapping.orIndex}:${mapping.conditionIndex}`,
+            encValue
+          );
+          break;
+        case "or-structured":
+          orStructuredConditionMap.set(
+            `${mapping.orIndex}:${mapping.conditionIndex}`,
+            encValue
+          );
+          break;
+      }
+    }
+    for (let i = 0; i < this.filters.length; i++) {
+      const f = this.filters[i];
+      let value = f.value;
+      if (filterValueMap.has(i)) {
+        value = filterValueMap.get(i);
+      } else if (f.op === "in" && Array.isArray(f.value)) {
+        value = f.value.map((v, j) => {
+          const key = `${i}:${j}`;
+          return filterInMap.has(key) ? filterInMap.get(key) : v;
+        });
+      }
+      switch (f.op) {
+        case "eq":
+          q = q.eq(f.column, value);
+          break;
+        case "neq":
+          q = q.neq(f.column, value);
+          break;
+        case "gt":
+          q = q.gt(f.column, value);
+          break;
+        case "gte":
+          q = q.gte(f.column, value);
+          break;
+        case "lt":
+          q = q.lt(f.column, value);
+          break;
+        case "lte":
+          q = q.lte(f.column, value);
+          break;
+        case "like":
+          q = q.like(f.column, value);
+          break;
+        case "ilike":
+          q = q.ilike(f.column, value);
+          break;
+        case "is":
+          q = q.is(f.column, value);
+          break;
+        case "in":
+          q = q.in(f.column, value);
+          break;
+      }
+    }
+    for (let i = 0; i < this.matchFilters.length; i++) {
+      const mf = this.matchFilters[i];
+      const resolvedQuery = {};
+      for (const [colName, originalValue] of Object.entries(mf.query)) {
+        const key = `${i}:${colName}`;
+        resolvedQuery[colName] = matchValueMap.has(key) ? matchValueMap.get(key) : originalValue;
+      }
+      q = q.match(resolvedQuery);
+    }
+    for (let i = 0; i < this.notFilters.length; i++) {
+      const nf = this.notFilters[i];
+      const value = notValueMap.has(i) ? notValueMap.get(i) : nf.value;
+      q = q.not(nf.column, nf.op, value);
+    }
+    for (let i = 0; i < this.orFilters.length; i++) {
+      const of_ = this.orFilters[i];
+      if (of_.kind === "string") {
+        const parsed = parseOrString(of_.value);
+        let hasEncrypted = false;
+        for (let j = 0; j < parsed.length; j++) {
+          const key = `${i}:${j}`;
+          if (orStringConditionMap.has(key)) {
+            parsed[j] = { ...parsed[j], value: orStringConditionMap.get(key) };
+            hasEncrypted = true;
+          }
+        }
+        if (hasEncrypted) {
+          q = q.or(rebuildOrString(parsed), {
+            referencedTable: of_.referencedTable
+          });
+        } else {
+          q = q.or(of_.value, { referencedTable: of_.referencedTable });
+        }
+      } else {
+        const conditions = of_.conditions.map((cond, j) => {
+          const key = `${i}:${j}`;
+          if (orStructuredConditionMap.has(key)) {
+            return { ...cond, value: orStructuredConditionMap.get(key) };
+          }
+          return cond;
+        });
+        q = q.or(rebuildOrString(conditions));
+      }
+    }
+    for (let i = 0; i < this.rawFilters.length; i++) {
+      const rf = this.rawFilters[i];
+      const value = rawValueMap.has(i) ? rawValueMap.get(i) : rf.value;
+      q = q.filter(rf.column, rf.operator, value);
+    }
+    return q;
+  }
+  // ---------------------------------------------------------------------------
+  // Step 5: Decrypt results
+  // ---------------------------------------------------------------------------
+  async decryptResults(result) {
+    if (result.error) {
+      return {
+        data: null,
+        error: {
+          message: result.error.message,
+          details: result.error.details,
+          hint: result.error.hint,
+          code: result.error.code
+        },
+        count: result.count ?? null,
+        status: result.status,
+        statusText: result.statusText
+      };
+    }
+    if (result.data === null || result.data === void 0) {
+      return {
+        data: null,
+        error: null,
+        count: result.count ?? null,
+        status: result.status,
+        statusText: result.statusText
+      };
+    }
+    const hasSelect = this.selectColumns !== null;
+    const hasMutationWithReturning = this.mutation !== null && hasSelect;
+    if (!hasSelect && !hasMutationWithReturning) {
+      return {
+        data: result.data,
+        error: null,
+        count: result.count ?? null,
+        status: result.status,
+        statusText: result.statusText
+      };
+    }
+    if (this.resultMode === "single" || this.resultMode === "maybeSingle") {
+      if (result.data === null) {
+        return {
+          data: null,
+          error: null,
+          count: result.count ?? null,
+          status: result.status,
+          statusText: result.statusText
+        };
+      }
+      const baseDecryptOp = this.encryptionClient.decryptModel(
+        result.data
+      );
+      const decryptOp = this.lockContext ? baseDecryptOp.withLockContext(this.lockContext) : baseDecryptOp;
+      if (this.auditConfig) decryptOp.audit(this.auditConfig);
+      const decrypted2 = await decryptOp;
+      if (decrypted2.failure) {
+        throw new EncryptionFailedError(
+          `Failed to decrypt model: ${decrypted2.failure.message}`,
+          decrypted2.failure
+        );
+      }
+      return {
+        data: decrypted2.data,
+        error: null,
+        count: result.count ?? null,
+        status: result.status,
+        statusText: result.statusText
+      };
+    }
+    const dataArray = result.data;
+    if (dataArray.length === 0) {
+      return {
+        data: [],
+        error: null,
+        count: result.count ?? null,
+        status: result.status,
+        statusText: result.statusText
+      };
+    }
+    const baseBulkDecryptOp = this.encryptionClient.bulkDecryptModels(dataArray);
+    const bulkDecryptOp = this.lockContext ? baseBulkDecryptOp.withLockContext(this.lockContext) : baseBulkDecryptOp;
+    if (this.auditConfig) bulkDecryptOp.audit(this.auditConfig);
+    const decrypted = await bulkDecryptOp;
+    if (decrypted.failure) {
+      throw new EncryptionFailedError(
+        `Failed to decrypt models: ${decrypted.failure.message}`,
+        decrypted.failure
+      );
+    }
+    return {
+      data: decrypted.data,
+      error: null,
+      count: result.count ?? null,
+      status: result.status,
+      statusText: result.statusText
+    };
+  }
+  // ---------------------------------------------------------------------------
+  // Helpers
+  // ---------------------------------------------------------------------------
+  getColumnMap() {
+    const map = {};
+    const schema = this.schema;
+    for (const colName of this.encryptedColumnNames) {
+      const col = schema[colName];
+      if (col instanceof ProtectColumn) {
+        map[colName] = col;
+      }
+    }
+    return map;
+  }
+};
+var EncryptionFailedError = class extends Error {
+  encryptionError;
+  constructor(message, encryptionError) {
+    super(message);
+    this.name = "EncryptionFailedError";
+    this.encryptionError = encryptionError;
+  }
+};
+
+// src/supabase/index.ts
+function encryptedSupabase(config) {
+  const { encryptionClient, supabaseClient } = config;
+  return {
+    from(tableName, schema) {
+      return new EncryptedQueryBuilderImpl(
+        tableName,
+        schema,
+        encryptionClient,
+        supabaseClient
+      );
+    }
+  };
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  encryptedSupabase
+});
+//# sourceMappingURL=index.cjs.map