@cipherstash/stack 0.1.0

package/dist/types-public.cjs

@@ -0,0 +1,40 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/types-public.ts
+var types_public_exports = {};
+__export(types_public_exports, {
+  queryTypes: () => queryTypes
+});
+module.exports = __toCommonJS(types_public_exports);
+
+// src/types.ts
+var queryTypes = {
+  orderAndRange: "orderAndRange",
+  freeTextSearch: "freeTextSearch",
+  equality: "equality",
+  steVecSelector: "steVecSelector",
+  steVecTerm: "steVecTerm",
+  searchableJson: "searchableJson"
+};
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  queryTypes
+});
+//# sourceMappingURL=types-public.cjs.map

package/dist/types-public.cjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/types-public.ts","../src/types.ts"],"sourcesContent":["/**\n * Public type re-exports for `@cipherstash/stack/types`.\n *\n * This module exposes only the public types from the internal types module.\n * Internal helpers (`queryTypeToFfi`, `queryTypeToQueryOp`, `FfiIndexTypeName`,\n * `QueryTermBase`) are excluded.\n */\n\n// Core types\nexport type {\n  Client,\n  EncryptedValue,\n  Encrypted,\n  EncryptPayload,\n} from '@/types'\n\n// Client configuration\nexport type {\n  KeysetIdentifier,\n  ClientConfig,\n  EncryptionClientConfig,\n} from '@/types'\n\n// Encrypt / decrypt operation options and results\nexport type {\n  EncryptOptions,\n  EncryptedReturnType,\n  SearchTerm,\n  EncryptedSearchTerm,\n  EncryptedQueryResult,\n} from '@/types'\n\n// Model field types\nexport type {\n  EncryptedFields,\n  OtherFields,\n  DecryptedFields,\n  Decrypted,\n} from '@/types'\n\n// Bulk operations\nexport type {\n  BulkEncryptPayload,\n  BulkEncryptedData,\n  BulkDecryptPayload,\n  BulkDecryptedData,\n  DecryptionResult,\n} from '@/types'\n\n// Query types (public only)\nexport type {\n  QueryTypeName,\n  EncryptQueryOptions,\n  ScalarQueryTerm,\n} from '@/types'\n\n// Logging\nexport type { LoggingConfig } from '@/utils/logger'\n\n// Runtime values\nexport { queryTypes } from '@/types'\n","import type {\n  ProtectColumn,\n  ProtectTable,\n  ProtectTableColumn,\n  ProtectValue,\n} from '@/schema'\nimport type { LoggingConfig } from '@/utils/logger'\nimport type {\n  Encrypted as CipherStashEncrypted,\n  JsPlaintext,\n  QueryOpName,\n  newClient,\n} from '@cipherstash/protect-ffi'\n\n// ---------------------------------------------------------------------------\n// Branded type utilities\n// ---------------------------------------------------------------------------\n\n/** Brand symbol for nominal typing */\ndeclare const __brand: unique symbol\n\n/** Creates a branded type that is structurally incompatible with the base type */\ntype Brand<T, B extends string> = T & { readonly [__brand]: B }\n\n// ---------------------------------------------------------------------------\n// Core types\n// ---------------------------------------------------------------------------\n\nexport type Client = Awaited<ReturnType<typeof newClient>> | undefined\n\n/** A branded type representing encrypted data. Cannot be accidentally used as plaintext. */\nexport type EncryptedValue = Brand<CipherStashEncrypted, 'encrypted'> | null\n\n/** Structural type representing encrypted data. See also `EncryptedValue` for branded nominal typing. */\nexport type Encrypted = CipherStashEncrypted | null\n\nexport type EncryptPayload = JsPlaintext | null\n\n// ---------------------------------------------------------------------------\n// Client configuration\n// ---------------------------------------------------------------------------\n\nexport type KeysetIdentifier = { name: string } | { id: string }\n\nexport type ClientConfig = {\n  /**\n   * The CipherStash workspace CRN (Cloud Resource Name).\n   * Format: `crn:<region>.aws:<workspace-id>`.\n   * Can also be set via the `CS_WORKSPACE_CRN` environment variable.\n   * If omitted, the SDK reads from the environment or TOML config files.\n   */\n  workspaceCrn?: string\n\n  /**\n   * The API access key used for authenticating with the CipherStash API.\n   * Can also be set via the `CS_CLIENT_ACCESS_KEY` environment variable.\n   * Obtain this from the CipherStash dashboard after creating a workspace.\n   */\n  accessKey?: string\n\n  /**\n   * The client identifier used to authenticate with CipherStash services.\n   * Can also be set via the `CS_CLIENT_ID` environment variable.\n   * Generated during workspace onboarding in the CipherStash dashboard.\n   */\n  clientId?: string\n\n  /**\n   * The client key material used in combination with ZeroKMS for encryption operations.\n   * Can also be set via the `CS_CLIENT_KEY` environment variable.\n   * Generated during workspace onboarding in the CipherStash dashboard.\n   */\n  clientKey?: string\n\n  /**\n   * An optional keyset identifier for multi-tenant encryption.\n   * Each keyset provides cryptographic isolation, giving each tenant its own keyspace.\n   * Specify by name (`{ name: \"tenant-a\" }`) or UUID (`{ id: \"...\" }`).\n   * Keysets are created and managed in the CipherStash dashboard.\n   */\n  keyset?: KeysetIdentifier\n}\n\ntype AtLeastOneCsTable<T> = [T, ...T[]]\n\nexport type EncryptionClientConfig = {\n  schemas: AtLeastOneCsTable<ProtectTable<ProtectTableColumn>>\n  config?: ClientConfig\n  logging?: LoggingConfig\n}\n\n// ---------------------------------------------------------------------------\n// Encrypt / decrypt operation options and results\n// ---------------------------------------------------------------------------\n\nexport type EncryptOptions = {\n  column: ProtectColumn | ProtectValue\n  table: ProtectTable<ProtectTableColumn>\n}\n\n/** Format for encrypted query/search term return values */\nexport type EncryptedReturnType =\n  | 'eql'\n  | 'composite-literal'\n  | 'escaped-composite-literal'\n\nexport type SearchTerm = {\n  value: JsPlaintext\n  column: ProtectColumn\n  table: ProtectTable<ProtectTableColumn>\n  returnType?: EncryptedReturnType\n}\n\n/** Encrypted search term result: EQL object or composite literal string */\nexport type EncryptedSearchTerm = Encrypted | string\n\n/** Result of encryptQuery (single or batch): EQL, composite literal string, or null */\nexport type EncryptedQueryResult = Encrypted | string | null\n\n// ---------------------------------------------------------------------------\n// Model field types (encrypted vs decrypted views)\n// ---------------------------------------------------------------------------\n\nexport type EncryptedFields<T> = {\n  [K in keyof T as T[K] extends Encrypted ? K : never]: T[K]\n}\n\nexport type OtherFields<T> = {\n  [K in keyof T as T[K] extends Encrypted ? never : K]: T[K]\n}\n\nexport type DecryptedFields<T> = {\n  [K in keyof T as T[K] extends Encrypted ? K : never]: string\n}\n\n/** Model with encrypted fields replaced by plaintext (decrypted) values */\nexport type Decrypted<T> = OtherFields<T> & DecryptedFields<T>\n\n// ---------------------------------------------------------------------------\n// Bulk operations\n// ---------------------------------------------------------------------------\n\nexport type BulkEncryptPayload = Array<{\n  id?: string\n  plaintext: JsPlaintext | null\n}>\n\nexport type BulkEncryptedData = Array<{ id?: string; data: Encrypted }>\nexport type BulkDecryptPayload = Array<{ id?: string; data: Encrypted }>\nexport type BulkDecryptedData = Array<DecryptionResult<JsPlaintext | null>>\n\ntype DecryptionSuccess<T> = { error?: never; data: T; id?: string }\ntype DecryptionError<T> = { error: T; id?: string; data?: never }\n\n/**\n * Result type for individual items in bulk decrypt operations.\n * Uses `error`/`data` fields (not `failure`/`data`) since bulk operations\n * can have per-item failures.\n */\nexport type DecryptionResult<T> = DecryptionSuccess<T> | DecryptionError<T>\n\n// ---------------------------------------------------------------------------\n// Query types (for searchable encryption / encryptQuery)\n// ---------------------------------------------------------------------------\n\n/**\n * User-facing query type names for encrypting query values.\n *\n * - `'equality'`: Exact match. [Exact Queries](https://cipherstash.com/docs/platform/searchable-encryption/supported-queries/exact)\n * - `'freeTextSearch'`: Text search. [Match Queries](https://cipherstash.com/docs/platform/searchable-encryption/supported-queries/match)\n * - `'orderAndRange'`: Comparison and range. [Range Queries](https://cipherstash.com/docs/platform/searchable-encryption/supported-queries/range)\n * - `'steVecSelector'`: JSONPath selector (e.g. `'$.user.email'`)\n * - `'steVecTerm'`: Containment (e.g. `{ role: 'admin' }`)\n * - `'searchableJson'`: Auto-infers selector or term from plaintext type (recommended)\n */\nexport type QueryTypeName =\n  | 'orderAndRange'\n  | 'freeTextSearch'\n  | 'equality'\n  | 'steVecSelector'\n  | 'steVecTerm'\n  | 'searchableJson'\n\n/** @internal */\nexport type FfiIndexTypeName = 'ore' | 'match' | 'unique' | 'ste_vec'\n\nexport const queryTypes = {\n  orderAndRange: 'orderAndRange',\n  freeTextSearch: 'freeTextSearch',\n  equality: 'equality',\n  steVecSelector: 'steVecSelector',\n  steVecTerm: 'steVecTerm',\n  searchableJson: 'searchableJson',\n} as const satisfies Record<string, QueryTypeName>\n\n/** @internal */\nexport const queryTypeToFfi: Record<QueryTypeName, FfiIndexTypeName> = {\n  orderAndRange: 'ore',\n  freeTextSearch: 'match',\n  equality: 'unique',\n  steVecSelector: 'ste_vec',\n  steVecTerm: 'ste_vec',\n  searchableJson: 'ste_vec',\n}\n\n/** @internal */\nexport const queryTypeToQueryOp: Partial<Record<QueryTypeName, QueryOpName>> = {\n  steVecSelector: 'ste_vec_selector',\n  steVecTerm: 'ste_vec_term',\n}\n\n/** @internal */\nexport type QueryTermBase = {\n  column: ProtectColumn\n  table: ProtectTable<ProtectTableColumn>\n  queryType?: QueryTypeName\n  returnType?: EncryptedReturnType\n}\n\nexport type EncryptQueryOptions = QueryTermBase\n\nexport type ScalarQueryTerm = QueryTermBase & {\n  value: JsPlaintext | null\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;;;AC0LO,IAAM,aAAa;AAAA,EACxB,eAAe;AAAA,EACf,gBAAgB;AAAA,EAChB,UAAU;AAAA,EACV,gBAAgB;AAAA,EAChB,YAAY;AAAA,EACZ,gBAAgB;AAClB;","names":[]}

package/dist/types-public.d.cts

@@ -0,0 +1,4 @@
+export { l as BulkDecryptPayload, B as BulkDecryptedData, n as BulkEncryptPayload, m as BulkEncryptedData, k as Client, y as ClientConfig, D as Decrypted, H as DecryptedFields, J as DecryptionResult, o as EncryptOptions, x as EncryptPayload, p as EncryptQueryOptions, h as Encrypted, F as EncryptedFields, j as EncryptedQueryResult, q as EncryptedReturnType, A as EncryptedSearchTerm, i as EncryptedValue, E as EncryptionClientConfig, K as KeysetIdentifier, L as LoggingConfig, G as OtherFields, Q as QueryTypeName, S as ScalarQueryTerm, z as SearchTerm, N as queryTypes } from './types-public-BCj1L4fi.cjs';
+import 'zod';
+import 'evlog';
+import '@cipherstash/protect-ffi';

package/dist/types-public.d.ts

@@ -0,0 +1,4 @@
+export { l as BulkDecryptPayload, B as BulkDecryptedData, n as BulkEncryptPayload, m as BulkEncryptedData, k as Client, y as ClientConfig, D as Decrypted, H as DecryptedFields, J as DecryptionResult, o as EncryptOptions, x as EncryptPayload, p as EncryptQueryOptions, h as Encrypted, F as EncryptedFields, j as EncryptedQueryResult, q as EncryptedReturnType, A as EncryptedSearchTerm, i as EncryptedValue, E as EncryptionClientConfig, K as KeysetIdentifier, L as LoggingConfig, G as OtherFields, Q as QueryTypeName, S as ScalarQueryTerm, z as SearchTerm, N as queryTypes } from './types-public-BCj1L4fi.js';
+import 'zod';
+import 'evlog';
+import '@cipherstash/protect-ffi';

package/dist/types-public.js

@@ -0,0 +1,7 @@
+import {
+  queryTypes
+} from "./chunk-SJ7JO4ME.js";
+export {
+  queryTypes
+};
+//# sourceMappingURL=types-public.js.map

package/dist/types-public.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":[],"sourcesContent":[],"mappings":"","names":[]}

package/package.json

@@ -0,0 +1,202 @@
+{
+  "name": "@cipherstash/stack",
+  "version": "0.1.0",
+  "description": "CipherStash Stack for TypeScript and JavaScript",
+  "keywords": [
+    "encrypted",
+    "searchable",
+    "language",
+    "typescript",
+    "ts",
+    "stack"
+  ],
+  "bugs": {
+    "url": "https://github.com/cipherstash/protectjs/issues"
+  },
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/cipherstash/protectjs.git",
+    "directory": "packages/stack"
+  },
+  "license": "MIT",
+  "author": "CipherStash <hello@cipherstash.com>",
+  "files": [
+    "dist",
+    "README.md",
+    "LICENSE",
+    "CHANGELOG.md"
+  ],
+  "type": "module",
+  "bin": {
+    "stash": "./dist/bin/stash.js"
+  },
+  "main": "./dist/index.cjs",
+  "module": "./dist/index.js",
+  "sideEffects": false,
+  "types": "./dist/index.d.ts",
+  "typesVersions": {
+    "*": {
+      "client": [
+        "./dist/client.d.ts"
+      ],
+      "identity": [
+        "./dist/identity/index.d.ts"
+      ],
+      "secrets": [
+        "./dist/secrets/index.d.ts"
+      ],
+      "schema": [
+        "./dist/schema/index.d.ts"
+      ],
+      "types": [
+        "./dist/types-public.d.ts"
+      ],
+      "drizzle": [
+        "./dist/drizzle/index.d.ts"
+      ],
+      "dynamodb": [
+        "./dist/dynamodb/index.d.ts"
+      ],
+      "supabase": [
+        "./dist/supabase/index.d.ts"
+      ]
+    }
+  },
+  "exports": {
+    ".": {
+      "import": {
+        "types": "./dist/index.d.ts",
+        "default": "./dist/index.js"
+      },
+      "require": {
+        "types": "./dist/index.d.cts",
+        "default": "./dist/index.cjs"
+      }
+    },
+    "./client": {
+      "import": {
+        "types": "./dist/client.d.ts",
+        "default": "./dist/client.js"
+      },
+      "require": {
+        "types": "./dist/client.d.cts",
+        "default": "./dist/client.cjs"
+      }
+    },
+    "./identity": {
+      "import": {
+        "types": "./dist/identity/index.d.ts",
+        "default": "./dist/identity/index.js"
+      },
+      "require": {
+        "types": "./dist/identity/index.d.cts",
+        "default": "./dist/identity/index.cjs"
+      }
+    },
+    "./secrets": {
+      "import": {
+        "types": "./dist/secrets/index.d.ts",
+        "default": "./dist/secrets/index.js"
+      },
+      "require": {
+        "types": "./dist/secrets/index.d.cts",
+        "default": "./dist/secrets/index.cjs"
+      }
+    },
+    "./schema": {
+      "import": {
+        "types": "./dist/schema/index.d.ts",
+        "default": "./dist/schema/index.js"
+      },
+      "require": {
+        "types": "./dist/schema/index.d.cts",
+        "default": "./dist/schema/index.cjs"
+      }
+    },
+    "./types": {
+      "import": {
+        "types": "./dist/types-public.d.ts",
+        "default": "./dist/types-public.js"
+      },
+      "require": {
+        "types": "./dist/types-public.d.cts",
+        "default": "./dist/types-public.cjs"
+      }
+    },
+    "./drizzle": {
+      "import": {
+        "types": "./dist/drizzle/index.d.ts",
+        "default": "./dist/drizzle/index.js"
+      },
+      "require": {
+        "types": "./dist/drizzle/index.d.cts",
+        "default": "./dist/drizzle/index.cjs"
+      }
+    },
+    "./dynamodb": {
+      "import": {
+        "types": "./dist/dynamodb/index.d.ts",
+        "default": "./dist/dynamodb/index.js"
+      },
+      "require": {
+        "types": "./dist/dynamodb/index.d.cts",
+        "default": "./dist/dynamodb/index.cjs"
+      }
+    },
+    "./supabase": {
+      "import": {
+        "types": "./dist/supabase/index.d.ts",
+        "default": "./dist/supabase/index.js"
+      },
+      "require": {
+        "types": "./dist/supabase/index.d.cts",
+        "default": "./dist/supabase/index.cjs"
+      }
+    },
+    "./package.json": "./package.json"
+  },
+  "devDependencies": {
+    "@clack/prompts": "^0.10.1",
+    "@supabase/supabase-js": "^2.47.10",
+    "dotenv": "16.4.7",
+    "drizzle-orm": ">=0.33",
+    "execa": "^9.5.2",
+    "json-schema-to-typescript": "^15.0.2",
+    "postgres": "^3.4.8",
+    "tsup": "8.4.0",
+    "tsx": "4.19.3",
+    "typescript": "5.6.3",
+    "vitest": "3.1.3"
+  },
+  "publishConfig": {
+    "access": "public"
+  },
+  "dependencies": {
+    "@byteslice/result": "^0.2.0",
+    "@cipherstash/protect-ffi": "0.20.1",
+    "evlog": "^1.9.0",
+    "zod": "3.24.2"
+  },
+  "peerDependencies": {
+    "@supabase/supabase-js": ">=2",
+    "drizzle-orm": ">=0.33"
+  },
+  "peerDependenciesMeta": {
+    "drizzle-orm": {
+      "optional": true
+    },
+    "@supabase/supabase-js": {
+      "optional": true
+    }
+  },
+  "engines": {
+    "node": ">=18"
+  },
+  "scripts": {
+    "build": "tsup",
+    "postbuild": "chmod +x ./dist/bin/stash.js",
+    "dev": "tsup --watch",
+    "test": "vitest run",
+    "release": "tsup"
+  }
+}