@cipherstash/stack 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (76) hide show
  1. package/CHANGELOG.md +7 -0
  2. package/LICENSE.md +21 -0
  3. package/README.md +670 -0
  4. package/dist/bin/stash.js +5049 -0
  5. package/dist/bin/stash.js.map +1 -0
  6. package/dist/chunk-2GZMIJFO.js +2400 -0
  7. package/dist/chunk-2GZMIJFO.js.map +1 -0
  8. package/dist/chunk-5DCT6YU2.js +138 -0
  9. package/dist/chunk-5DCT6YU2.js.map +1 -0
  10. package/dist/chunk-7XRPN2KX.js +336 -0
  11. package/dist/chunk-7XRPN2KX.js.map +1 -0
  12. package/dist/chunk-SJ7JO4ME.js +28 -0
  13. package/dist/chunk-SJ7JO4ME.js.map +1 -0
  14. package/dist/chunk-SUYMGQBY.js +67 -0
  15. package/dist/chunk-SUYMGQBY.js.map +1 -0
  16. package/dist/client-BxJG56Ey.d.cts +647 -0
  17. package/dist/client-DtGq9dJp.d.ts +647 -0
  18. package/dist/client.cjs +347 -0
  19. package/dist/client.cjs.map +1 -0
  20. package/dist/client.d.cts +7 -0
  21. package/dist/client.d.ts +7 -0
  22. package/dist/client.js +11 -0
  23. package/dist/client.js.map +1 -0
  24. package/dist/drizzle/index.cjs +1528 -0
  25. package/dist/drizzle/index.cjs.map +1 -0
  26. package/dist/drizzle/index.d.cts +350 -0
  27. package/dist/drizzle/index.d.ts +350 -0
  28. package/dist/drizzle/index.js +1212 -0
  29. package/dist/drizzle/index.js.map +1 -0
  30. package/dist/dynamodb/index.cjs +382 -0
  31. package/dist/dynamodb/index.cjs.map +1 -0
  32. package/dist/dynamodb/index.d.cts +125 -0
  33. package/dist/dynamodb/index.d.ts +125 -0
  34. package/dist/dynamodb/index.js +355 -0
  35. package/dist/dynamodb/index.js.map +1 -0
  36. package/dist/identity/index.cjs +271 -0
  37. package/dist/identity/index.cjs.map +1 -0
  38. package/dist/identity/index.d.cts +3 -0
  39. package/dist/identity/index.d.ts +3 -0
  40. package/dist/identity/index.js +117 -0
  41. package/dist/identity/index.js.map +1 -0
  42. package/dist/index-9-Ya3fDK.d.cts +169 -0
  43. package/dist/index-9-Ya3fDK.d.ts +169 -0
  44. package/dist/index.cjs +2915 -0
  45. package/dist/index.cjs.map +1 -0
  46. package/dist/index.d.cts +22 -0
  47. package/dist/index.d.ts +22 -0
  48. package/dist/index.js +23 -0
  49. package/dist/index.js.map +1 -0
  50. package/dist/schema/index.cjs +368 -0
  51. package/dist/schema/index.cjs.map +1 -0
  52. package/dist/schema/index.d.cts +4 -0
  53. package/dist/schema/index.d.ts +4 -0
  54. package/dist/schema/index.js +23 -0
  55. package/dist/schema/index.js.map +1 -0
  56. package/dist/secrets/index.cjs +3207 -0
  57. package/dist/secrets/index.cjs.map +1 -0
  58. package/dist/secrets/index.d.cts +227 -0
  59. package/dist/secrets/index.d.ts +227 -0
  60. package/dist/secrets/index.js +323 -0
  61. package/dist/secrets/index.js.map +1 -0
  62. package/dist/supabase/index.cjs +1113 -0
  63. package/dist/supabase/index.cjs.map +1 -0
  64. package/dist/supabase/index.d.cts +144 -0
  65. package/dist/supabase/index.d.ts +144 -0
  66. package/dist/supabase/index.js +864 -0
  67. package/dist/supabase/index.js.map +1 -0
  68. package/dist/types-public-BCj1L4fi.d.cts +1013 -0
  69. package/dist/types-public-BCj1L4fi.d.ts +1013 -0
  70. package/dist/types-public.cjs +40 -0
  71. package/dist/types-public.cjs.map +1 -0
  72. package/dist/types-public.d.cts +4 -0
  73. package/dist/types-public.d.ts +4 -0
  74. package/dist/types-public.js +7 -0
  75. package/dist/types-public.js.map +1 -0
  76. package/package.json +202 -0
package/dist/types-public-BCj1L4fi.d.ts ADDED
@@ -0,0 +1,1013 @@
1
+ import { z } from 'zod';
2
+ import { LoggerConfig } from 'evlog';
3
+ import { Encrypted as Encrypted$1, newClient, JsPlaintext } from '@cipherstash/protect-ffi';
4
+
5
+ type LoggingConfig = {
6
+ enabled?: boolean;
7
+ pretty?: boolean;
8
+ drain?: LoggerConfig['drain'];
9
+ };
10
+
11
+ /** Brand symbol for nominal typing */
12
+ declare const __brand: unique symbol;
13
+ /** Creates a branded type that is structurally incompatible with the base type */
14
+ type Brand<T, B extends string> = T & {
15
+ readonly [__brand]: B;
16
+ };
17
+ type Client = Awaited<ReturnType<typeof newClient>> | undefined;
18
+ /** A branded type representing encrypted data. Cannot be accidentally used as plaintext. */
19
+ type EncryptedValue = Brand<Encrypted$1, 'encrypted'> | null;
20
+ /** Structural type representing encrypted data. See also `EncryptedValue` for branded nominal typing. */
21
+ type Encrypted = Encrypted$1 | null;
22
+ type EncryptPayload = JsPlaintext | null;
23
+ type KeysetIdentifier = {
24
+ name: string;
25
+ } | {
26
+ id: string;
27
+ };
28
+ type ClientConfig = {
29
+ /**
30
+ * The CipherStash workspace CRN (Cloud Resource Name).
31
+ * Format: `crn:<region>.aws:<workspace-id>`.
32
+ * Can also be set via the `CS_WORKSPACE_CRN` environment variable.
33
+ * If omitted, the SDK reads from the environment or TOML config files.
34
+ */
35
+ workspaceCrn?: string;
36
+ /**
37
+ * The API access key used for authenticating with the CipherStash API.
38
+ * Can also be set via the `CS_CLIENT_ACCESS_KEY` environment variable.
39
+ * Obtain this from the CipherStash dashboard after creating a workspace.
40
+ */
41
+ accessKey?: string;
42
+ /**
43
+ * The client identifier used to authenticate with CipherStash services.
44
+ * Can also be set via the `CS_CLIENT_ID` environment variable.
45
+ * Generated during workspace onboarding in the CipherStash dashboard.
46
+ */
47
+ clientId?: string;
48
+ /**
49
+ * The client key material used in combination with ZeroKMS for encryption operations.
50
+ * Can also be set via the `CS_CLIENT_KEY` environment variable.
51
+ * Generated during workspace onboarding in the CipherStash dashboard.
52
+ */
53
+ clientKey?: string;
54
+ /**
55
+ * An optional keyset identifier for multi-tenant encryption.
56
+ * Each keyset provides cryptographic isolation, giving each tenant its own keyspace.
57
+ * Specify by name (`{ name: "tenant-a" }`) or UUID (`{ id: "..." }`).
58
+ * Keysets are created and managed in the CipherStash dashboard.
59
+ */
60
+ keyset?: KeysetIdentifier;
61
+ };
62
+ type AtLeastOneCsTable<T> = [T, ...T[]];
63
+ type EncryptionClientConfig = {
64
+ schemas: AtLeastOneCsTable<ProtectTable<ProtectTableColumn>>;
65
+ config?: ClientConfig;
66
+ logging?: LoggingConfig;
67
+ };
68
+ type EncryptOptions = {
69
+ column: ProtectColumn | ProtectValue;
70
+ table: ProtectTable<ProtectTableColumn>;
71
+ };
72
+ /** Format for encrypted query/search term return values */
73
+ type EncryptedReturnType = 'eql' | 'composite-literal' | 'escaped-composite-literal';
74
+ type SearchTerm = {
75
+ value: JsPlaintext;
76
+ column: ProtectColumn;
77
+ table: ProtectTable<ProtectTableColumn>;
78
+ returnType?: EncryptedReturnType;
79
+ };
80
+ /** Encrypted search term result: EQL object or composite literal string */
81
+ type EncryptedSearchTerm = Encrypted | string;
82
+ /** Result of encryptQuery (single or batch): EQL, composite literal string, or null */
83
+ type EncryptedQueryResult = Encrypted | string | null;
84
+ type EncryptedFields<T> = {
85
+ [K in keyof T as T[K] extends Encrypted ? K : never]: T[K];
86
+ };
87
+ type OtherFields<T> = {
88
+ [K in keyof T as T[K] extends Encrypted ? never : K]: T[K];
89
+ };
90
+ type DecryptedFields<T> = {
91
+ [K in keyof T as T[K] extends Encrypted ? K : never]: string;
92
+ };
93
+ /** Model with encrypted fields replaced by plaintext (decrypted) values */
94
+ type Decrypted<T> = OtherFields<T> & DecryptedFields<T>;
95
+ type BulkEncryptPayload = Array<{
96
+ id?: string;
97
+ plaintext: JsPlaintext | null;
98
+ }>;
99
+ type BulkEncryptedData = Array<{
100
+ id?: string;
101
+ data: Encrypted;
102
+ }>;
103
+ type BulkDecryptPayload = Array<{
104
+ id?: string;
105
+ data: Encrypted;
106
+ }>;
107
+ type BulkDecryptedData = Array<DecryptionResult<JsPlaintext | null>>;
108
+ type DecryptionSuccess<T> = {
109
+ error?: never;
110
+ data: T;
111
+ id?: string;
112
+ };
113
+ type DecryptionError<T> = {
114
+ error: T;
115
+ id?: string;
116
+ data?: never;
117
+ };
118
+ /**
119
+ * Result type for individual items in bulk decrypt operations.
120
+ * Uses `error`/`data` fields (not `failure`/`data`) since bulk operations
121
+ * can have per-item failures.
122
+ */
123
+ type DecryptionResult<T> = DecryptionSuccess<T> | DecryptionError<T>;
124
+ /**
125
+ * User-facing query type names for encrypting query values.
126
+ *
127
+ * - `'equality'`: Exact match. [Exact Queries](https://cipherstash.com/docs/platform/searchable-encryption/supported-queries/exact)
128
+ * - `'freeTextSearch'`: Text search. [Match Queries](https://cipherstash.com/docs/platform/searchable-encryption/supported-queries/match)
129
+ * - `'orderAndRange'`: Comparison and range. [Range Queries](https://cipherstash.com/docs/platform/searchable-encryption/supported-queries/range)
130
+ * - `'steVecSelector'`: JSONPath selector (e.g. `'$.user.email'`)
131
+ * - `'steVecTerm'`: Containment (e.g. `{ role: 'admin' }`)
132
+ * - `'searchableJson'`: Auto-infers selector or term from plaintext type (recommended)
133
+ */
134
+ type QueryTypeName = 'orderAndRange' | 'freeTextSearch' | 'equality' | 'steVecSelector' | 'steVecTerm' | 'searchableJson';
135
+ declare const queryTypes: {
136
+ readonly orderAndRange: "orderAndRange";
137
+ readonly freeTextSearch: "freeTextSearch";
138
+ readonly equality: "equality";
139
+ readonly steVecSelector: "steVecSelector";
140
+ readonly steVecTerm: "steVecTerm";
141
+ readonly searchableJson: "searchableJson";
142
+ };
143
+ /** @internal */
144
+ type QueryTermBase = {
145
+ column: ProtectColumn;
146
+ table: ProtectTable<ProtectTableColumn>;
147
+ queryType?: QueryTypeName;
148
+ returnType?: EncryptedReturnType;
149
+ };
150
+ type EncryptQueryOptions = QueryTermBase;
151
+ type ScalarQueryTerm = QueryTermBase & {
152
+ value: JsPlaintext | null;
153
+ };
154
+
155
+ /**
156
+ * Allowed cast types for CipherStash schema fields.
157
+ *
158
+ * **Possible values:**
159
+ * - `"bigint"`
160
+ * - `"boolean"`
161
+ * - `"date"`
162
+ * - `"number"`
163
+ * - `"string"`
164
+ * - `"json"`
165
+ *
166
+ * @remarks
167
+ * This is a Zod enum used at runtime to validate schema definitions.
168
+ * Use {@link CastAs} when typing your own code.
169
+ *
170
+ * @internal
171
+ */
172
+ declare const castAsEnum: z.ZodDefault<z.ZodEnum<["bigint", "boolean", "date", "number", "string", "json"]>>;
173
+ declare const tokenFilterSchema: z.ZodObject<{
174
+ kind: z.ZodLiteral<"downcase">;
175
+ }, "strip", z.ZodTypeAny, {
176
+ kind: "downcase";
177
+ }, {
178
+ kind: "downcase";
179
+ }>;
180
+ declare const oreIndexOptsSchema: z.ZodObject<{}, "strip", z.ZodTypeAny, {}, {}>;
181
+ declare const uniqueIndexOptsSchema: z.ZodObject<{
182
+ token_filters: z.ZodOptional<z.ZodDefault<z.ZodArray<z.ZodObject<{
183
+ kind: z.ZodLiteral<"downcase">;
184
+ }, "strip", z.ZodTypeAny, {
185
+ kind: "downcase";
186
+ }, {
187
+ kind: "downcase";
188
+ }>, "many">>>;
189
+ }, "strip", z.ZodTypeAny, {
190
+ token_filters?: {
191
+ kind: "downcase";
192
+ }[] | undefined;
193
+ }, {
194
+ token_filters?: {
195
+ kind: "downcase";
196
+ }[] | undefined;
197
+ }>;
198
+ declare const matchIndexOptsSchema: z.ZodObject<{
199
+ tokenizer: z.ZodOptional<z.ZodDefault<z.ZodUnion<[z.ZodObject<{
200
+ kind: z.ZodLiteral<"standard">;
201
+ }, "strip", z.ZodTypeAny, {
202
+ kind: "standard";
203
+ }, {
204
+ kind: "standard";
205
+ }>, z.ZodObject<{
206
+ kind: z.ZodLiteral<"ngram">;
207
+ token_length: z.ZodNumber;
208
+ }, "strip", z.ZodTypeAny, {
209
+ kind: "ngram";
210
+ token_length: number;
211
+ }, {
212
+ kind: "ngram";
213
+ token_length: number;
214
+ }>]>>>;
215
+ token_filters: z.ZodOptional<z.ZodDefault<z.ZodArray<z.ZodObject<{
216
+ kind: z.ZodLiteral<"downcase">;
217
+ }, "strip", z.ZodTypeAny, {
218
+ kind: "downcase";
219
+ }, {
220
+ kind: "downcase";
221
+ }>, "many">>>;
222
+ k: z.ZodOptional<z.ZodDefault<z.ZodNumber>>;
223
+ m: z.ZodOptional<z.ZodDefault<z.ZodNumber>>;
224
+ include_original: z.ZodOptional<z.ZodDefault<z.ZodBoolean>>;
225
+ }, "strip", z.ZodTypeAny, {
226
+ token_filters?: {
227
+ kind: "downcase";
228
+ }[] | undefined;
229
+ tokenizer?: {
230
+ kind: "standard";
231
+ } | {
232
+ kind: "ngram";
233
+ token_length: number;
234
+ } | undefined;
235
+ k?: number | undefined;
236
+ m?: number | undefined;
237
+ include_original?: boolean | undefined;
238
+ }, {
239
+ token_filters?: {
240
+ kind: "downcase";
241
+ }[] | undefined;
242
+ tokenizer?: {
243
+ kind: "standard";
244
+ } | {
245
+ kind: "ngram";
246
+ token_length: number;
247
+ } | undefined;
248
+ k?: number | undefined;
249
+ m?: number | undefined;
250
+ include_original?: boolean | undefined;
251
+ }>;
252
+ declare const steVecIndexOptsSchema: z.ZodObject<{
253
+ prefix: z.ZodString;
254
+ }, "strip", z.ZodTypeAny, {
255
+ prefix: string;
256
+ }, {
257
+ prefix: string;
258
+ }>;
259
+ declare const columnSchema: z.ZodDefault<z.ZodObject<{
260
+ cast_as: z.ZodDefault<z.ZodEnum<["bigint", "boolean", "date", "number", "string", "json"]>>;
261
+ indexes: z.ZodDefault<z.ZodObject<{
262
+ ore: z.ZodOptional<z.ZodObject<{}, "strip", z.ZodTypeAny, {}, {}>>;
263
+ unique: z.ZodOptional<z.ZodObject<{
264
+ token_filters: z.ZodOptional<z.ZodDefault<z.ZodArray<z.ZodObject<{
265
+ kind: z.ZodLiteral<"downcase">;
266
+ }, "strip", z.ZodTypeAny, {
267
+ kind: "downcase";
268
+ }, {
269
+ kind: "downcase";
270
+ }>, "many">>>;
271
+ }, "strip", z.ZodTypeAny, {
272
+ token_filters?: {
273
+ kind: "downcase";
274
+ }[] | undefined;
275
+ }, {
276
+ token_filters?: {
277
+ kind: "downcase";
278
+ }[] | undefined;
279
+ }>>;
280
+ match: z.ZodOptional<z.ZodObject<{
281
+ tokenizer: z.ZodOptional<z.ZodDefault<z.ZodUnion<[z.ZodObject<{
282
+ kind: z.ZodLiteral<"standard">;
283
+ }, "strip", z.ZodTypeAny, {
284
+ kind: "standard";
285
+ }, {
286
+ kind: "standard";
287
+ }>, z.ZodObject<{
288
+ kind: z.ZodLiteral<"ngram">;
289
+ token_length: z.ZodNumber;
290
+ }, "strip", z.ZodTypeAny, {
291
+ kind: "ngram";
292
+ token_length: number;
293
+ }, {
294
+ kind: "ngram";
295
+ token_length: number;
296
+ }>]>>>;
297
+ token_filters: z.ZodOptional<z.ZodDefault<z.ZodArray<z.ZodObject<{
298
+ kind: z.ZodLiteral<"downcase">;
299
+ }, "strip", z.ZodTypeAny, {
300
+ kind: "downcase";
301
+ }, {
302
+ kind: "downcase";
303
+ }>, "many">>>;
304
+ k: z.ZodOptional<z.ZodDefault<z.ZodNumber>>;
305
+ m: z.ZodOptional<z.ZodDefault<z.ZodNumber>>;
306
+ include_original: z.ZodOptional<z.ZodDefault<z.ZodBoolean>>;
307
+ }, "strip", z.ZodTypeAny, {
308
+ token_filters?: {
309
+ kind: "downcase";
310
+ }[] | undefined;
311
+ tokenizer?: {
312
+ kind: "standard";
313
+ } | {
314
+ kind: "ngram";
315
+ token_length: number;
316
+ } | undefined;
317
+ k?: number | undefined;
318
+ m?: number | undefined;
319
+ include_original?: boolean | undefined;
320
+ }, {
321
+ token_filters?: {
322
+ kind: "downcase";
323
+ }[] | undefined;
324
+ tokenizer?: {
325
+ kind: "standard";
326
+ } | {
327
+ kind: "ngram";
328
+ token_length: number;
329
+ } | undefined;
330
+ k?: number | undefined;
331
+ m?: number | undefined;
332
+ include_original?: boolean | undefined;
333
+ }>>;
334
+ ste_vec: z.ZodOptional<z.ZodObject<{
335
+ prefix: z.ZodString;
336
+ }, "strip", z.ZodTypeAny, {
337
+ prefix: string;
338
+ }, {
339
+ prefix: string;
340
+ }>>;
341
+ }, "strip", z.ZodTypeAny, {
342
+ ore?: {} | undefined;
343
+ match?: {
344
+ token_filters?: {
345
+ kind: "downcase";
346
+ }[] | undefined;
347
+ tokenizer?: {
348
+ kind: "standard";
349
+ } | {
350
+ kind: "ngram";
351
+ token_length: number;
352
+ } | undefined;
353
+ k?: number | undefined;
354
+ m?: number | undefined;
355
+ include_original?: boolean | undefined;
356
+ } | undefined;
357
+ unique?: {
358
+ token_filters?: {
359
+ kind: "downcase";
360
+ }[] | undefined;
361
+ } | undefined;
362
+ ste_vec?: {
363
+ prefix: string;
364
+ } | undefined;
365
+ }, {
366
+ ore?: {} | undefined;
367
+ match?: {
368
+ token_filters?: {
369
+ kind: "downcase";
370
+ }[] | undefined;
371
+ tokenizer?: {
372
+ kind: "standard";
373
+ } | {
374
+ kind: "ngram";
375
+ token_length: number;
376
+ } | undefined;
377
+ k?: number | undefined;
378
+ m?: number | undefined;
379
+ include_original?: boolean | undefined;
380
+ } | undefined;
381
+ unique?: {
382
+ token_filters?: {
383
+ kind: "downcase";
384
+ }[] | undefined;
385
+ } | undefined;
386
+ ste_vec?: {
387
+ prefix: string;
388
+ } | undefined;
389
+ }>>;
390
+ }, "strip", z.ZodTypeAny, {
391
+ cast_as: "string" | "number" | "bigint" | "boolean" | "date" | "json";
392
+ indexes: {
393
+ ore?: {} | undefined;
394
+ match?: {
395
+ token_filters?: {
396
+ kind: "downcase";
397
+ }[] | undefined;
398
+ tokenizer?: {
399
+ kind: "standard";
400
+ } | {
401
+ kind: "ngram";
402
+ token_length: number;
403
+ } | undefined;
404
+ k?: number | undefined;
405
+ m?: number | undefined;
406
+ include_original?: boolean | undefined;
407
+ } | undefined;
408
+ unique?: {
409
+ token_filters?: {
410
+ kind: "downcase";
411
+ }[] | undefined;
412
+ } | undefined;
413
+ ste_vec?: {
414
+ prefix: string;
415
+ } | undefined;
416
+ };
417
+ }, {
418
+ cast_as?: "string" | "number" | "bigint" | "boolean" | "date" | "json" | undefined;
419
+ indexes?: {
420
+ ore?: {} | undefined;
421
+ match?: {
422
+ token_filters?: {
423
+ kind: "downcase";
424
+ }[] | undefined;
425
+ tokenizer?: {
426
+ kind: "standard";
427
+ } | {
428
+ kind: "ngram";
429
+ token_length: number;
430
+ } | undefined;
431
+ k?: number | undefined;
432
+ m?: number | undefined;
433
+ include_original?: boolean | undefined;
434
+ } | undefined;
435
+ unique?: {
436
+ token_filters?: {
437
+ kind: "downcase";
438
+ }[] | undefined;
439
+ } | undefined;
440
+ ste_vec?: {
441
+ prefix: string;
442
+ } | undefined;
443
+ } | undefined;
444
+ }>>;
445
+ /** @internal */
446
+ declare const encryptConfigSchema: z.ZodObject<{
447
+ v: z.ZodNumber;
448
+ tables: z.ZodDefault<z.ZodRecord<z.ZodString, z.ZodDefault<z.ZodRecord<z.ZodString, z.ZodDefault<z.ZodObject<{
449
+ cast_as: z.ZodDefault<z.ZodEnum<["bigint", "boolean", "date", "number", "string", "json"]>>;
450
+ indexes: z.ZodDefault<z.ZodObject<{
451
+ ore: z.ZodOptional<z.ZodObject<{}, "strip", z.ZodTypeAny, {}, {}>>;
452
+ unique: z.ZodOptional<z.ZodObject<{
453
+ token_filters: z.ZodOptional<z.ZodDefault<z.ZodArray<z.ZodObject<{
454
+ kind: z.ZodLiteral<"downcase">;
455
+ }, "strip", z.ZodTypeAny, {
456
+ kind: "downcase";
457
+ }, {
458
+ kind: "downcase";
459
+ }>, "many">>>;
460
+ }, "strip", z.ZodTypeAny, {
461
+ token_filters?: {
462
+ kind: "downcase";
463
+ }[] | undefined;
464
+ }, {
465
+ token_filters?: {
466
+ kind: "downcase";
467
+ }[] | undefined;
468
+ }>>;
469
+ match: z.ZodOptional<z.ZodObject<{
470
+ tokenizer: z.ZodOptional<z.ZodDefault<z.ZodUnion<[z.ZodObject<{
471
+ kind: z.ZodLiteral<"standard">;
472
+ }, "strip", z.ZodTypeAny, {
473
+ kind: "standard";
474
+ }, {
475
+ kind: "standard";
476
+ }>, z.ZodObject<{
477
+ kind: z.ZodLiteral<"ngram">;
478
+ token_length: z.ZodNumber;
479
+ }, "strip", z.ZodTypeAny, {
480
+ kind: "ngram";
481
+ token_length: number;
482
+ }, {
483
+ kind: "ngram";
484
+ token_length: number;
485
+ }>]>>>;
486
+ token_filters: z.ZodOptional<z.ZodDefault<z.ZodArray<z.ZodObject<{
487
+ kind: z.ZodLiteral<"downcase">;
488
+ }, "strip", z.ZodTypeAny, {
489
+ kind: "downcase";
490
+ }, {
491
+ kind: "downcase";
492
+ }>, "many">>>;
493
+ k: z.ZodOptional<z.ZodDefault<z.ZodNumber>>;
494
+ m: z.ZodOptional<z.ZodDefault<z.ZodNumber>>;
495
+ include_original: z.ZodOptional<z.ZodDefault<z.ZodBoolean>>;
496
+ }, "strip", z.ZodTypeAny, {
497
+ token_filters?: {
498
+ kind: "downcase";
499
+ }[] | undefined;
500
+ tokenizer?: {
501
+ kind: "standard";
502
+ } | {
503
+ kind: "ngram";
504
+ token_length: number;
505
+ } | undefined;
506
+ k?: number | undefined;
507
+ m?: number | undefined;
508
+ include_original?: boolean | undefined;
509
+ }, {
510
+ token_filters?: {
511
+ kind: "downcase";
512
+ }[] | undefined;
513
+ tokenizer?: {
514
+ kind: "standard";
515
+ } | {
516
+ kind: "ngram";
517
+ token_length: number;
518
+ } | undefined;
519
+ k?: number | undefined;
520
+ m?: number | undefined;
521
+ include_original?: boolean | undefined;
522
+ }>>;
523
+ ste_vec: z.ZodOptional<z.ZodObject<{
524
+ prefix: z.ZodString;
525
+ }, "strip", z.ZodTypeAny, {
526
+ prefix: string;
527
+ }, {
528
+ prefix: string;
529
+ }>>;
530
+ }, "strip", z.ZodTypeAny, {
531
+ ore?: {} | undefined;
532
+ match?: {
533
+ token_filters?: {
534
+ kind: "downcase";
535
+ }[] | undefined;
536
+ tokenizer?: {
537
+ kind: "standard";
538
+ } | {
539
+ kind: "ngram";
540
+ token_length: number;
541
+ } | undefined;
542
+ k?: number | undefined;
543
+ m?: number | undefined;
544
+ include_original?: boolean | undefined;
545
+ } | undefined;
546
+ unique?: {
547
+ token_filters?: {
548
+ kind: "downcase";
549
+ }[] | undefined;
550
+ } | undefined;
551
+ ste_vec?: {
552
+ prefix: string;
553
+ } | undefined;
554
+ }, {
555
+ ore?: {} | undefined;
556
+ match?: {
557
+ token_filters?: {
558
+ kind: "downcase";
559
+ }[] | undefined;
560
+ tokenizer?: {
561
+ kind: "standard";
562
+ } | {
563
+ kind: "ngram";
564
+ token_length: number;
565
+ } | undefined;
566
+ k?: number | undefined;
567
+ m?: number | undefined;
568
+ include_original?: boolean | undefined;
569
+ } | undefined;
570
+ unique?: {
571
+ token_filters?: {
572
+ kind: "downcase";
573
+ }[] | undefined;
574
+ } | undefined;
575
+ ste_vec?: {
576
+ prefix: string;
577
+ } | undefined;
578
+ }>>;
579
+ }, "strip", z.ZodTypeAny, {
580
+ cast_as: "string" | "number" | "bigint" | "boolean" | "date" | "json";
581
+ indexes: {
582
+ ore?: {} | undefined;
583
+ match?: {
584
+ token_filters?: {
585
+ kind: "downcase";
586
+ }[] | undefined;
587
+ tokenizer?: {
588
+ kind: "standard";
589
+ } | {
590
+ kind: "ngram";
591
+ token_length: number;
592
+ } | undefined;
593
+ k?: number | undefined;
594
+ m?: number | undefined;
595
+ include_original?: boolean | undefined;
596
+ } | undefined;
597
+ unique?: {
598
+ token_filters?: {
599
+ kind: "downcase";
600
+ }[] | undefined;
601
+ } | undefined;
602
+ ste_vec?: {
603
+ prefix: string;
604
+ } | undefined;
605
+ };
606
+ }, {
607
+ cast_as?: "string" | "number" | "bigint" | "boolean" | "date" | "json" | undefined;
608
+ indexes?: {
609
+ ore?: {} | undefined;
610
+ match?: {
611
+ token_filters?: {
612
+ kind: "downcase";
613
+ }[] | undefined;
614
+ tokenizer?: {
615
+ kind: "standard";
616
+ } | {
617
+ kind: "ngram";
618
+ token_length: number;
619
+ } | undefined;
620
+ k?: number | undefined;
621
+ m?: number | undefined;
622
+ include_original?: boolean | undefined;
623
+ } | undefined;
624
+ unique?: {
625
+ token_filters?: {
626
+ kind: "downcase";
627
+ }[] | undefined;
628
+ } | undefined;
629
+ ste_vec?: {
630
+ prefix: string;
631
+ } | undefined;
632
+ } | undefined;
633
+ }>>>>>>;
634
+ }, "strip", z.ZodTypeAny, {
635
+ v: number;
636
+ tables: Record<string, Record<string, {
637
+ cast_as: "string" | "number" | "bigint" | "boolean" | "date" | "json";
638
+ indexes: {
639
+ ore?: {} | undefined;
640
+ match?: {
641
+ token_filters?: {
642
+ kind: "downcase";
643
+ }[] | undefined;
644
+ tokenizer?: {
645
+ kind: "standard";
646
+ } | {
647
+ kind: "ngram";
648
+ token_length: number;
649
+ } | undefined;
650
+ k?: number | undefined;
651
+ m?: number | undefined;
652
+ include_original?: boolean | undefined;
653
+ } | undefined;
654
+ unique?: {
655
+ token_filters?: {
656
+ kind: "downcase";
657
+ }[] | undefined;
658
+ } | undefined;
659
+ ste_vec?: {
660
+ prefix: string;
661
+ } | undefined;
662
+ };
663
+ }>>;
664
+ }, {
665
+ v: number;
666
+ tables?: Record<string, Record<string, {
667
+ cast_as?: "string" | "number" | "bigint" | "boolean" | "date" | "json" | undefined;
668
+ indexes?: {
669
+ ore?: {} | undefined;
670
+ match?: {
671
+ token_filters?: {
672
+ kind: "downcase";
673
+ }[] | undefined;
674
+ tokenizer?: {
675
+ kind: "standard";
676
+ } | {
677
+ kind: "ngram";
678
+ token_length: number;
679
+ } | undefined;
680
+ k?: number | undefined;
681
+ m?: number | undefined;
682
+ include_original?: boolean | undefined;
683
+ } | undefined;
684
+ unique?: {
685
+ token_filters?: {
686
+ kind: "downcase";
687
+ }[] | undefined;
688
+ } | undefined;
689
+ ste_vec?: {
690
+ prefix: string;
691
+ } | undefined;
692
+ } | undefined;
693
+ } | undefined> | undefined> | undefined;
694
+ }>;
695
+ /**
696
+ * Type-safe alias for {@link castAsEnum} used to specify the *unencrypted* data type of a column or value.
697
+ * This is important because once encrypted, all data is stored as binary blobs.
698
+ *
699
+ * @see {@link castAsEnum} for possible values.
700
+ */
701
+ type CastAs = z.infer<typeof castAsEnum>;
702
+ type TokenFilter = z.infer<typeof tokenFilterSchema>;
703
+ type MatchIndexOpts = z.infer<typeof matchIndexOptsSchema>;
704
+ type SteVecIndexOpts = z.infer<typeof steVecIndexOptsSchema>;
705
+ type UniqueIndexOpts = z.infer<typeof uniqueIndexOptsSchema>;
706
+ type OreIndexOpts = z.infer<typeof oreIndexOptsSchema>;
707
+ type ColumnSchema = z.infer<typeof columnSchema>;
708
+ type ProtectTableColumn = {
709
+ [key: string]: ProtectColumn | {
710
+ [key: string]: ProtectValue | {
711
+ [key: string]: ProtectValue | {
712
+ [key: string]: ProtectValue;
713
+ };
714
+ };
715
+ };
716
+ };
717
+ type EncryptConfig = z.infer<typeof encryptConfigSchema>;
718
+ declare class ProtectValue {
719
+ private valueName;
720
+ private castAsValue;
721
+ constructor(valueName: string);
722
+ /**
723
+ * Set or override the plaintext data type for this value.
724
+ *
725
+ * By default all values are treated as `'string'`. Use this method to specify
726
+ * a different type so the encryption layer knows how to encode the plaintext
727
+ * before encrypting.
728
+ *
729
+ * @param castAs - The plaintext data type: `'string'`, `'number'`, `'boolean'`, `'date'`, `'bigint'`, or `'json'`.
730
+ * @returns This `ProtectValue` instance for method chaining.
731
+ *
732
+ * @example
733
+ * ```typescript
734
+ * import { encryptedValue } from "@cipherstash/stack/schema"
735
+ *
736
+ * const age = encryptedValue("age").dataType("number")
737
+ * ```
738
+ */
739
+ dataType(castAs: CastAs): this;
740
+ build(): {
741
+ cast_as: "string" | "number" | "bigint" | "boolean" | "date" | "json";
742
+ indexes: {};
743
+ };
744
+ getName(): string;
745
+ }
746
+ declare class ProtectColumn {
747
+ private columnName;
748
+ private castAsValue;
749
+ private indexesValue;
750
+ constructor(columnName: string);
751
+ /**
752
+ * Set or override the plaintext data type for this column.
753
+ *
754
+ * By default all columns are treated as `'string'`. Use this method to specify
755
+ * a different type so the encryption layer knows how to encode the plaintext
756
+ * before encrypting.
757
+ *
758
+ * @param castAs - The plaintext data type: `'string'`, `'number'`, `'boolean'`, `'date'`, `'bigint'`, or `'json'`.
759
+ * @returns This `ProtectColumn` instance for method chaining.
760
+ *
761
+ * @example
762
+ * ```typescript
763
+ * import { encryptedColumn } from "@cipherstash/stack/schema"
764
+ *
765
+ * const dateOfBirth = encryptedColumn("date_of_birth").dataType("date")
766
+ * ```
767
+ */
768
+ dataType(castAs: CastAs): this;
769
+ /**
770
+ * Enable Order-Revealing Encryption (ORE) indexing on this column.
771
+ *
772
+ * ORE allows sorting, comparison, and range queries on encrypted data.
773
+ * Use with `encryptQuery` and `queryType: 'orderAndRange'`.
774
+ *
775
+ * @returns This `ProtectColumn` instance for method chaining.
776
+ *
777
+ * @example
778
+ * ```typescript
779
+ * import { encryptedTable, encryptedColumn } from "@cipherstash/stack/schema"
780
+ *
781
+ * const users = encryptedTable("users", {
782
+ * email: encryptedColumn("email").orderAndRange(),
783
+ * })
784
+ * ```
785
+ */
786
+ orderAndRange(): this;
787
+ /**
788
+ * Enable an exact-match (unique) index on this column.
789
+ *
790
+ * Allows equality queries on encrypted data. Use with `encryptQuery`
791
+ * and `queryType: 'equality'`.
792
+ *
793
+ * @param tokenFilters - Optional array of token filters (e.g. `[{ kind: 'downcase' }]`).
794
+ * When omitted, no token filters are applied.
795
+ * @returns This `ProtectColumn` instance for method chaining.
796
+ *
797
+ * @example
798
+ * ```typescript
799
+ * import { encryptedTable, encryptedColumn } from "@cipherstash/stack/schema"
800
+ *
801
+ * const users = encryptedTable("users", {
802
+ * email: encryptedColumn("email").equality(),
803
+ * })
804
+ * ```
805
+ */
806
+ equality(tokenFilters?: TokenFilter[]): this;
807
+ /**
808
+ * Enable a full-text / fuzzy search (match) index on this column.
809
+ *
810
+ * Uses n-gram tokenization by default for substring and fuzzy matching.
811
+ * Use with `encryptQuery` and `queryType: 'freeTextSearch'`.
812
+ *
813
+ * @param opts - Optional match index configuration. Defaults to 3-character ngram
814
+ * tokenization with a downcase filter, `k=6`, `m=2048`, and `include_original=true`.
815
+ * @returns This `ProtectColumn` instance for method chaining.
816
+ *
817
+ * @example
818
+ * ```typescript
819
+ * import { encryptedTable, encryptedColumn } from "@cipherstash/stack/schema"
820
+ *
821
+ * const users = encryptedTable("users", {
822
+ * email: encryptedColumn("email").freeTextSearch(),
823
+ * })
824
+ *
825
+ * // With custom options
826
+ * const posts = encryptedTable("posts", {
827
+ * body: encryptedColumn("body").freeTextSearch({
828
+ * tokenizer: { kind: "ngram", token_length: 4 },
829
+ * k: 8,
830
+ * m: 4096,
831
+ * }),
832
+ * })
833
+ * ```
834
+ */
835
+ freeTextSearch(opts?: MatchIndexOpts): this;
836
+ /**
837
+ * Configure this column for searchable encrypted JSON (STE-Vec).
838
+ *
839
+ * Enables encrypted JSONPath selector queries (e.g. `'$.user.email'`) and
840
+ * containment queries (e.g. `{ role: 'admin' }`). Automatically sets the
841
+ * data type to `'json'`.
842
+ *
843
+ * When used with `encryptQuery`, the query operation is auto-inferred from
844
+ * the plaintext type: strings become selector queries, objects/arrays become
845
+ * containment queries.
846
+ *
847
+ * @returns This `ProtectColumn` instance for method chaining.
848
+ *
849
+ * @example
850
+ * ```typescript
851
+ * import { encryptedTable, encryptedColumn } from "@cipherstash/stack/schema"
852
+ *
853
+ * const documents = encryptedTable("documents", {
854
+ * metadata: encryptedColumn("metadata").searchableJson(),
855
+ * })
856
+ * ```
857
+ */
858
+ searchableJson(): this;
859
+ build(): {
860
+ cast_as: "string" | "number" | "bigint" | "boolean" | "date" | "json";
861
+ indexes: {
862
+ ore?: OreIndexOpts;
863
+ unique?: UniqueIndexOpts;
864
+ match?: Required<MatchIndexOpts>;
865
+ ste_vec?: SteVecIndexOpts;
866
+ };
867
+ };
868
+ getName(): string;
869
+ }
870
+ interface TableDefinition {
871
+ tableName: string;
872
+ columns: Record<string, ColumnSchema>;
873
+ }
874
+ declare class ProtectTable<T extends ProtectTableColumn> {
875
+ readonly tableName: string;
876
+ private readonly columnBuilders;
877
+ constructor(tableName: string, columnBuilders: T);
878
+ /**
879
+ * Compile this table schema into a `TableDefinition` used internally by the encryption client.
880
+ *
881
+ * Iterates over all column builders, calls `.build()` on each, and assembles
882
+ * the final `{ tableName, columns }` structure. For `searchableJson()` columns,
883
+ * the STE-Vec prefix is automatically set to `"<tableName>/<columnName>"`.
884
+ *
885
+ * @returns A `TableDefinition` containing the table name and built column configs.
886
+ *
887
+ * @example
888
+ * ```typescript
889
+ * const users = encryptedTable("users", {
890
+ * email: encryptedColumn("email").equality(),
891
+ * })
892
+ *
893
+ * const definition = users.build()
894
+ * // { tableName: "users", columns: { email: { cast_as: "string", indexes: { unique: ... } } } }
895
+ * ```
896
+ */
897
+ build(): TableDefinition;
898
+ }
899
+ /**
900
+ * Infer the plaintext (decrypted) type from a ProtectTable schema.
901
+ *
902
+ * @example
903
+ * ```typescript
904
+ * const users = encryptedTable("users", {
905
+ * email: encryptedColumn("email").equality(),
906
+ * name: encryptedColumn("name"),
907
+ * })
908
+ *
909
+ * type UserPlaintext = InferPlaintext<typeof users>
910
+ * // => { email: string; name: string }
911
+ * ```
912
+ */
913
+ type InferPlaintext<T extends ProtectTable<any>> = T extends ProtectTable<infer C> ? {
914
+ [K in keyof C as C[K] extends ProtectColumn | ProtectValue ? K : never]: string;
915
+ } : never;
916
+ /**
917
+ * Infer the encrypted type from a ProtectTable schema.
918
+ *
919
+ * @example
920
+ * ```typescript
921
+ * const users = encryptedTable("users", {
922
+ * email: encryptedColumn("email").equality(),
923
+ * })
924
+ *
925
+ * type UserEncrypted = InferEncrypted<typeof users>
926
+ * // => { email: Encrypted }
927
+ * ```
928
+ */
929
+ type InferEncrypted<T extends ProtectTable<any>> = T extends ProtectTable<infer C> ? {
930
+ [K in keyof C as C[K] extends ProtectColumn | ProtectValue ? K : never]: Encrypted;
931
+ } : never;
932
+ /**
933
+ * Define an encrypted table schema.
934
+ *
935
+ * Creates a `ProtectTable` that maps a database table name to a set of encrypted
936
+ * column definitions. Pass the resulting object to `Encryption({ schemas: [...] })`
937
+ * when initializing the client.
938
+ *
939
+ * The returned object is also a proxy that exposes each column builder directly,
940
+ * so you can reference columns as `users.email` when calling `encrypt`, `decrypt`,
941
+ * and `encryptQuery`.
942
+ *
943
+ * @param tableName - The name of the database table this schema represents.
944
+ * @param columns - An object whose keys are logical column names and values are
945
+ * `ProtectColumn` instances created with {@link encryptedColumn}.
946
+ * @returns A `ProtectTable<T> & T` that can be used as both a schema definition
947
+ * and a column accessor.
948
+ *
949
+ * @example
950
+ * ```typescript
951
+ * import { encryptedTable, encryptedColumn } from "@cipherstash/stack/schema"
952
+ *
953
+ * const users = encryptedTable("users", {
954
+ * email: encryptedColumn("email").equality().freeTextSearch(),
955
+ * address: encryptedColumn("address"),
956
+ * })
957
+ *
958
+ * // Use as schema
959
+ * const client = await Encryption({ schemas: [users] })
960
+ *
961
+ * // Use as column accessor
962
+ * await client.encrypt("hello@example.com", { column: users.email, table: users })
963
+ * ```
964
+ */
965
+ declare function encryptedTable<T extends ProtectTableColumn>(tableName: string, columns: T): ProtectTable<T> & T;
966
+ /**
967
+ * Define an encrypted column within a table schema.
968
+ *
969
+ * Creates a `ProtectColumn` builder for the given column name. Chain index
970
+ * methods (`.equality()`, `.freeTextSearch()`, `.orderAndRange()`,
971
+ * `.searchableJson()`) and/or `.dataType()` to configure searchable encryption
972
+ * and the plaintext data type.
973
+ *
974
+ * @param columnName - The name of the database column to encrypt.
975
+ * @returns A new `ProtectColumn` builder.
976
+ *
977
+ * @example
978
+ * ```typescript
979
+ * import { encryptedTable, encryptedColumn } from "@cipherstash/stack/schema"
980
+ *
981
+ * const users = encryptedTable("users", {
982
+ * email: encryptedColumn("email").equality().freeTextSearch().orderAndRange(),
983
+ * })
984
+ * ```
985
+ */
986
+ declare function encryptedColumn(columnName: string): ProtectColumn;
987
+ /**
988
+ * Define an encrypted value for use in nested or structured schemas.
989
+ *
990
+ * `encryptedValue` is similar to {@link encryptedColumn} but creates a `ProtectValue`
991
+ * intended for nested fields within a table schema. It supports `.dataType()`
992
+ * for specifying the plaintext type.
993
+ *
994
+ * @param valueName - The name of the value field.
995
+ * @returns A new `ProtectValue` builder.
996
+ *
997
+ * @example
998
+ * ```typescript
999
+ * import { encryptedTable, encryptedValue } from "@cipherstash/stack/schema"
1000
+ *
1001
+ * const orders = encryptedTable("orders", {
1002
+ * details: {
1003
+ * amount: encryptedValue("amount").dataType("number"),
1004
+ * currency: encryptedValue("currency"),
1005
+ * },
1006
+ * })
1007
+ * ```
1008
+ */
1009
+ declare function encryptedValue(valueName: string): ProtectValue;
1010
+ /** @internal */
1011
+ declare function buildEncryptConfig(...protectTables: Array<ProtectTable<ProtectTableColumn>>): EncryptConfig;
1012
+
1013
+ export { type EncryptedSearchTerm as A, type BulkDecryptedData as B, type CastAs as C, type Decrypted as D, type EncryptionClientConfig as E, type EncryptedFields as F, type OtherFields as G, type DecryptedFields as H, type InferPlaintext as I, type DecryptionResult as J, type KeysetIdentifier as K, type LoggingConfig as L, type MatchIndexOpts as M, queryTypes as N, type OreIndexOpts as O, ProtectColumn as P, type QueryTypeName as Q, type ScalarQueryTerm as S, type TokenFilter as T, type UniqueIndexOpts as U, encryptedColumn as a, encryptedValue as b, type InferEncrypted as c, ProtectTable as d, encryptedTable as e, type ProtectTableColumn as f, ProtectValue as g, type Encrypted as h, type EncryptedValue as i, type EncryptedQueryResult as j, type Client as k, type BulkDecryptPayload as l, type BulkEncryptedData as m, type BulkEncryptPayload as n, type EncryptOptions as o, type EncryptQueryOptions as p, type EncryptedReturnType as q, type EncryptConfig as r, castAsEnum as s, encryptConfigSchema as t, type SteVecIndexOpts as u, type ColumnSchema as v, buildEncryptConfig as w, type EncryptPayload as x, type ClientConfig as y, type SearchTerm as z };