@cipherstash/stack 0.1.0

package/dist/chunk-2GZMIJFO.js

@@ -0,0 +1,2400 @@
+import {
+  formatEncryptedResult,
+  isEncryptedPayload,
+  toFfiKeysetIdentifier
+} from "./chunk-SUYMGQBY.js";
+import {
+  queryTypeToFfi,
+  queryTypeToQueryOp
+} from "./chunk-SJ7JO4ME.js";
+import {
+  EncryptionErrorTypes,
+  createRequestLogger,
+  initStackLogger,
+  loadWorkSpaceId,
+  logger
+} from "./chunk-5DCT6YU2.js";
+import {
+  buildEncryptConfig,
+  encryptConfigSchema
+} from "./chunk-7XRPN2KX.js";
+
+// src/encryption/ffi/index.ts
+import { withResult as withResult11 } from "@byteslice/result";
+import { newClient } from "@cipherstash/protect-ffi";
+
+// src/encryption/ffi/helpers/type-guards.ts
+function isScalarQueryTermArray(value) {
+  return Array.isArray(value) && value.length > 0 && typeof value[0] === "object" && value[0] !== null && "column" in value[0] && "table" in value[0];
+}
+
+// src/encryption/ffi/helpers/error-code.ts
+import {
+  ProtectError as FfiProtectError
+} from "@cipherstash/protect-ffi";
+function getErrorCode(error) {
+  return error instanceof FfiProtectError ? error.code : void 0;
+}
+
+// src/encryption/ffi/operations/batch-encrypt-query.ts
+import { withResult } from "@byteslice/result";
+import {
+  encryptQueryBulk as ffiEncryptQueryBulk
+} from "@cipherstash/protect-ffi";
+
+// src/encryption/ffi/helpers/infer-index-type.ts
+function inferIndexType(column) {
+  const config = column.build();
+  const indexes = config.indexes;
+  if (!indexes || Object.keys(indexes).length === 0) {
+    throw new Error(`Column "${column.getName()}" has no indexes configured`);
+  }
+  if (indexes.unique) return "unique";
+  if (indexes.match) return "match";
+  if (indexes.ore) return "ore";
+  if (indexes.ste_vec) return "ste_vec";
+  throw new Error(
+    `Column "${column.getName()}" has no suitable index for queries`
+  );
+}
+function inferQueryOpFromPlaintext(plaintext) {
+  if (typeof plaintext === "string") {
+    return "ste_vec_selector";
+  }
+  if (typeof plaintext === "object" || typeof plaintext === "number" || typeof plaintext === "boolean" || typeof plaintext === "bigint") {
+    return "ste_vec_term";
+  }
+  return "ste_vec_term";
+}
+function validateIndexType(column, indexType) {
+  const config = column.build();
+  const indexes = config.indexes ?? {};
+  const indexMap = {
+    unique: !!indexes.unique,
+    match: !!indexes.match,
+    ore: !!indexes.ore,
+    ste_vec: !!indexes.ste_vec
+  };
+  if (!indexMap[indexType]) {
+    throw new Error(
+      `Index type "${indexType}" is not configured on column "${column.getName()}"`
+    );
+  }
+}
+function resolveIndexType(column, queryType, plaintext) {
+  const indexType = queryType ? queryTypeToFfi[queryType] : inferIndexType(column);
+  if (queryType) {
+    validateIndexType(column, indexType);
+    if (queryType === "searchableJson") {
+      if (plaintext === void 0 || plaintext === null) {
+        return { indexType };
+      }
+      return { indexType, queryOp: inferQueryOpFromPlaintext(plaintext) };
+    }
+    return { indexType, queryOp: queryTypeToQueryOp[queryType] };
+  }
+  if (indexType === "ste_vec") {
+    if (plaintext === void 0 || plaintext === null) {
+      return { indexType };
+    }
+    return { indexType, queryOp: inferQueryOpFromPlaintext(plaintext) };
+  }
+  return { indexType };
+}
+
+// src/encryption/ffi/helpers/validation.ts
+function validateNumericValue(value) {
+  if (typeof value === "number" && Number.isNaN(value)) {
+    return {
+      failure: {
+        type: EncryptionErrorTypes.EncryptionError,
+        message: "[encryption]: Cannot encrypt NaN value"
+      }
+    };
+  }
+  if (typeof value === "number" && !Number.isFinite(value)) {
+    return {
+      failure: {
+        type: EncryptionErrorTypes.EncryptionError,
+        message: "[encryption]: Cannot encrypt Infinity value"
+      }
+    };
+  }
+  return void 0;
+}
+function assertValidNumericValue(value) {
+  if (typeof value === "number" && Number.isNaN(value)) {
+    throw new Error("[encryption]: Cannot encrypt NaN value");
+  }
+  if (typeof value === "number" && !Number.isFinite(value)) {
+    throw new Error("[encryption]: Cannot encrypt Infinity value");
+  }
+}
+function assertValueIndexCompatibility(value, indexType, columnName) {
+  if (typeof value === "number" && indexType === "match") {
+    throw new Error(
+      `[encryption]: Cannot use 'match' index with numeric value on column "${columnName}". The 'freeTextSearch' index only supports string values. Configure the column with 'orderAndRange()' or 'equality()' for numeric queries.`
+    );
+  }
+}
+
+// src/encryption/ffi/operations/base-operation.ts
+var EncryptionOperation = class {
+  auditMetadata;
+  /**
+   * Attach audit metadata to this operation. Can be chained.
+   * @param config Configuration for ZeroKMS audit logging
+   * @param config.metadata Arbitrary JSON object for appending metadata to the audit log
+   */
+  audit(config) {
+    this.auditMetadata = config.metadata;
+    return this;
+  }
+  /**
+   * Get the audit data for this operation.
+   */
+  getAuditData() {
+    return {
+      metadata: this.auditMetadata
+    };
+  }
+  /**
+   * Make the operation thenable
+   */
+  then(onfulfilled, onrejected) {
+    return this.execute().then(onfulfilled, onrejected);
+  }
+};
+
+// src/encryption/ffi/operations/batch-encrypt-query.ts
+function filterNullTerms(terms) {
+  const nullIndices = /* @__PURE__ */ new Set();
+  const nonNullTerms = [];
+  terms.forEach((term, index) => {
+    if (term.value === null || term.value === void 0) {
+      nullIndices.add(index);
+    } else {
+      nonNullTerms.push({ term, originalIndex: index });
+    }
+  });
+  return { nullIndices, nonNullTerms };
+}
+function buildQueryPayload(term, lockContext) {
+  assertValidNumericValue(term.value);
+  const { indexType, queryOp } = resolveIndexType(
+    term.column,
+    term.queryType,
+    term.value
+  );
+  assertValueIndexCompatibility(term.value, indexType, term.column.getName());
+  const payload = {
+    plaintext: term.value,
+    column: term.column.getName(),
+    table: term.table.tableName,
+    indexType,
+    queryOp
+  };
+  if (lockContext != null) {
+    payload.lockContext = lockContext;
+  }
+  return payload;
+}
+function assembleResults(totalLength, encryptedValues, nonNullTerms) {
+  const results = new Array(totalLength).fill(null);
+  nonNullTerms.forEach(({ term, originalIndex }, i) => {
+    const encrypted = encryptedValues[i];
+    results[originalIndex] = formatEncryptedResult(encrypted, term.returnType);
+  });
+  return results;
+}
+var BatchEncryptQueryOperation = class extends EncryptionOperation {
+  constructor(client, terms) {
+    super();
+    this.client = client;
+    this.terms = terms;
+  }
+  withLockContext(lockContext) {
+    return new BatchEncryptQueryOperationWithLockContext(
+      this.client,
+      this.terms,
+      lockContext,
+      this.auditMetadata
+    );
+  }
+  async execute() {
+    const log = createRequestLogger();
+    log.set({
+      op: "batchEncryptQuery",
+      count: this.terms.length,
+      lockContext: false
+    });
+    if (this.terms.length === 0) {
+      log.emit();
+      return { data: [] };
+    }
+    const { nullIndices, nonNullTerms } = filterNullTerms(this.terms);
+    if (nonNullTerms.length === 0) {
+      log.emit();
+      return { data: this.terms.map(() => null) };
+    }
+    const result = await withResult(
+      async () => {
+        if (!this.client) throw noClientError();
+        const { metadata } = this.getAuditData();
+        const queries = nonNullTerms.map(
+          ({ term }) => buildQueryPayload(term)
+        );
+        const encrypted = await ffiEncryptQueryBulk(this.client, {
+          queries,
+          unverifiedContext: metadata
+        });
+        return assembleResults(this.terms.length, encrypted, nonNullTerms);
+      },
+      (error) => {
+        log.set({ errorCode: getErrorCode(error) ?? "unknown" });
+        return {
+          type: EncryptionErrorTypes.EncryptionError,
+          message: error.message,
+          code: getErrorCode(error)
+        };
+      }
+    );
+    log.emit();
+    return result;
+  }
+};
+var BatchEncryptQueryOperationWithLockContext = class extends EncryptionOperation {
+  constructor(client, terms, lockContext, auditMetadata) {
+    super();
+    this.client = client;
+    this.terms = terms;
+    this.lockContext = lockContext;
+    this.auditMetadata = auditMetadata;
+  }
+  async execute() {
+    const log = createRequestLogger();
+    log.set({
+      op: "batchEncryptQuery",
+      count: this.terms.length,
+      lockContext: true
+    });
+    if (this.terms.length === 0) {
+      log.emit();
+      return { data: [] };
+    }
+    const { nullIndices, nonNullTerms } = filterNullTerms(this.terms);
+    if (nonNullTerms.length === 0) {
+      log.emit();
+      return { data: this.terms.map(() => null) };
+    }
+    const lockContextResult = await this.lockContext.getLockContext();
+    if (lockContextResult.failure) {
+      log.emit();
+      return { failure: lockContextResult.failure };
+    }
+    const { ctsToken, context } = lockContextResult.data;
+    const result = await withResult(
+      async () => {
+        if (!this.client) throw noClientError();
+        const { metadata } = this.getAuditData();
+        const queries = nonNullTerms.map(
+          ({ term }) => buildQueryPayload(term, context)
+        );
+        const encrypted = await ffiEncryptQueryBulk(this.client, {
+          queries,
+          serviceToken: ctsToken,
+          unverifiedContext: metadata
+        });
+        return assembleResults(this.terms.length, encrypted, nonNullTerms);
+      },
+      (error) => {
+        log.set({ errorCode: getErrorCode(error) ?? "unknown" });
+        return {
+          type: EncryptionErrorTypes.EncryptionError,
+          message: error.message,
+          code: getErrorCode(error)
+        };
+      }
+    );
+    log.emit();
+    return result;
+  }
+};
+
+// src/encryption/ffi/operations/bulk-decrypt.ts
+import { withResult as withResult2 } from "@byteslice/result";
+import {
+  decryptBulkFallible
+} from "@cipherstash/protect-ffi";
+var createDecryptPayloads = (encryptedPayloads, lockContext) => {
+  return encryptedPayloads.map((item, index) => ({ ...item, originalIndex: index })).filter(({ data }) => data !== null).map(({ id, data, originalIndex }) => ({
+    id,
+    ciphertext: data,
+    originalIndex,
+    ...lockContext && { lockContext }
+  }));
+};
+var createNullResult = (encryptedPayloads) => {
+  return encryptedPayloads.map(({ id }) => ({
+    id,
+    data: null
+  }));
+};
+var mapDecryptedDataToResult = (encryptedPayloads, decryptedData) => {
+  const result = new Array(encryptedPayloads.length);
+  let decryptedIndex = 0;
+  for (let i = 0; i < encryptedPayloads.length; i++) {
+    if (encryptedPayloads[i].data === null) {
+      result[i] = { id: encryptedPayloads[i].id, data: null };
+    } else {
+      const decryptResult = decryptedData[decryptedIndex];
+      if ("error" in decryptResult) {
+        result[i] = {
+          id: encryptedPayloads[i].id,
+          error: decryptResult.error
+        };
+      } else {
+        result[i] = {
+          id: encryptedPayloads[i].id,
+          data: decryptResult.data
+        };
+      }
+      decryptedIndex++;
+    }
+  }
+  return result;
+};
+var BulkDecryptOperation = class extends EncryptionOperation {
+  client;
+  encryptedPayloads;
+  constructor(client, encryptedPayloads) {
+    super();
+    this.client = client;
+    this.encryptedPayloads = encryptedPayloads;
+  }
+  withLockContext(lockContext) {
+    return new BulkDecryptOperationWithLockContext(this, lockContext);
+  }
+  async execute() {
+    const log = createRequestLogger();
+    log.set({
+      op: "bulkDecrypt",
+      count: this.encryptedPayloads?.length ?? 0,
+      lockContext: false
+    });
+    const result = await withResult2(
+      async () => {
+        if (!this.client) throw noClientError();
+        if (!this.encryptedPayloads || this.encryptedPayloads.length === 0)
+          return [];
+        const nonNullPayloads = createDecryptPayloads(this.encryptedPayloads);
+        if (nonNullPayloads.length === 0) {
+          return createNullResult(this.encryptedPayloads);
+        }
+        const { metadata } = this.getAuditData();
+        const decryptedData = await decryptBulkFallible(this.client, {
+          ciphertexts: nonNullPayloads,
+          unverifiedContext: metadata
+        });
+        return mapDecryptedDataToResult(this.encryptedPayloads, decryptedData);
+      },
+      (error) => {
+        log.set({ errorCode: getErrorCode(error) ?? "unknown" });
+        return {
+          type: EncryptionErrorTypes.DecryptionError,
+          message: error.message,
+          code: getErrorCode(error)
+        };
+      }
+    );
+    log.emit();
+    return result;
+  }
+  getOperation() {
+    return {
+      client: this.client,
+      encryptedPayloads: this.encryptedPayloads
+    };
+  }
+};
+var BulkDecryptOperationWithLockContext = class extends EncryptionOperation {
+  operation;
+  lockContext;
+  constructor(operation, lockContext) {
+    super();
+    this.operation = operation;
+    this.lockContext = lockContext;
+    const auditData = operation.getAuditData();
+    if (auditData) {
+      this.audit(auditData);
+    }
+  }
+  async execute() {
+    const { client, encryptedPayloads } = this.operation.getOperation();
+    const log = createRequestLogger();
+    log.set({
+      op: "bulkDecrypt",
+      count: encryptedPayloads?.length ?? 0,
+      lockContext: true
+    });
+    const result = await withResult2(
+      async () => {
+        if (!client) throw noClientError();
+        if (!encryptedPayloads || encryptedPayloads.length === 0) return [];
+        const context = await this.lockContext.getLockContext();
+        if (context.failure) {
+          throw new Error(`[encryption]: ${context.failure.message}`);
+        }
+        const nonNullPayloads = createDecryptPayloads(
+          encryptedPayloads,
+          context.data.context
+        );
+        if (nonNullPayloads.length === 0) {
+          return createNullResult(encryptedPayloads);
+        }
+        const { metadata } = this.getAuditData();
+        const decryptedData = await decryptBulkFallible(client, {
+          ciphertexts: nonNullPayloads,
+          serviceToken: context.data.ctsToken,
+          unverifiedContext: metadata
+        });
+        return mapDecryptedDataToResult(encryptedPayloads, decryptedData);
+      },
+      (error) => {
+        log.set({ errorCode: getErrorCode(error) ?? "unknown" });
+        return {
+          type: EncryptionErrorTypes.DecryptionError,
+          message: error.message,
+          code: getErrorCode(error)
+        };
+      }
+    );
+    log.emit();
+    return result;
+  }
+};
+
+// src/encryption/ffi/operations/bulk-decrypt-models.ts
+import { withResult as withResult3 } from "@byteslice/result";
+
+// src/encryption/ffi/model-helpers.ts
+import {
+  decryptBulk,
+  encryptBulk
+} from "@cipherstash/protect-ffi";
+function setNestedValue(obj, path, value) {
+  const FORBIDDEN_KEYS = ["__proto__", "prototype", "constructor"];
+  let current = obj;
+  for (let i = 0; i < path.length - 1; i++) {
+    const part = path[i];
+    if (FORBIDDEN_KEYS.includes(part)) {
+      throw new Error(`[encryption]: Forbidden key "${part}" in field path`);
+    }
+    if (!(part in current) || typeof current[part] !== "object" || current[part] === null) {
+      current[part] = {};
+    }
+    current = current[part];
+  }
+  const lastKey = path[path.length - 1];
+  if (FORBIDDEN_KEYS.includes(lastKey)) {
+    throw new Error(`[encryption]: Forbidden key "${lastKey}" in field path`);
+  }
+  current[lastKey] = value;
+}
+async function handleSingleModelBulkOperation(items, operation, keyMap) {
+  if (items.length === 0) {
+    return {};
+  }
+  const results = await operation(items);
+  const mappedResults = {};
+  results.forEach((result, index) => {
+    const originalKey = keyMap[index.toString()];
+    mappedResults[originalKey] = result;
+  });
+  return mappedResults;
+}
+async function handleMultiModelBulkOperation(items, operation, keyMap) {
+  if (items.length === 0) {
+    return {};
+  }
+  const results = await operation(items);
+  const mappedResults = {};
+  results.forEach((result, index) => {
+    const key = index.toString();
+    const { modelIndex, fieldKey } = keyMap[key];
+    mappedResults[`${modelIndex}-${fieldKey}`] = result;
+  });
+  return mappedResults;
+}
+function prepareFieldsForDecryption(model) {
+  const otherFields = { ...model };
+  const operationFields = {};
+  const nullFields = {};
+  const keyMap = {};
+  let index = 0;
+  const processNestedFields = (obj, prefix = "") => {
+    for (const [key, value] of Object.entries(obj)) {
+      const fullKey = prefix ? `${prefix}.${key}` : key;
+      if (value === null || value === void 0) {
+        nullFields[fullKey] = value;
+        continue;
+      }
+      if (typeof value === "object" && !isEncryptedPayload(value)) {
+        processNestedFields(value, fullKey);
+      } else if (isEncryptedPayload(value)) {
+        const id = index.toString();
+        keyMap[id] = fullKey;
+        operationFields[fullKey] = value;
+        index++;
+        const parts = fullKey.split(".");
+        let current = otherFields;
+        for (let i = 0; i < parts.length - 1; i++) {
+          current = current[parts[i]];
+        }
+        delete current[parts[parts.length - 1]];
+      }
+    }
+  };
+  processNestedFields(model);
+  return { otherFields, operationFields, keyMap, nullFields };
+}
+function prepareFieldsForEncryption(model, table) {
+  const otherFields = { ...model };
+  const operationFields = {};
+  const nullFields = {};
+  const keyMap = {};
+  let index = 0;
+  const processNestedFields = (obj, prefix = "", columnPaths2 = []) => {
+    for (const [key, value] of Object.entries(obj)) {
+      const fullKey = prefix ? `${prefix}.${key}` : key;
+      if (value === null || value === void 0) {
+        nullFields[fullKey] = value;
+        continue;
+      }
+      if (typeof value === "object" && !isEncryptedPayload(value) && !columnPaths2.includes(fullKey)) {
+        if (columnPaths2.some((path) => path.startsWith(fullKey))) {
+          processNestedFields(
+            value,
+            fullKey,
+            columnPaths2
+          );
+        }
+      } else if (columnPaths2.includes(fullKey)) {
+        const id = index.toString();
+        keyMap[id] = fullKey;
+        operationFields[fullKey] = value;
+        index++;
+        const parts = fullKey.split(".");
+        let current = otherFields;
+        for (let i = 0; i < parts.length - 1; i++) {
+          current = current[parts[i]];
+        }
+        delete current[parts[parts.length - 1]];
+      }
+    }
+  };
+  const columnPaths = Object.keys(table.build().columns);
+  processNestedFields(model, "", columnPaths);
+  return { otherFields, operationFields, keyMap, nullFields };
+}
+async function decryptModelFields(model, client, auditData) {
+  if (!client) {
+    throw new Error("Client not initialized");
+  }
+  const { otherFields, operationFields, keyMap, nullFields } = prepareFieldsForDecryption(model);
+  const bulkDecryptPayload = Object.entries(operationFields).map(
+    ([key, value]) => ({
+      id: key,
+      ciphertext: value
+    })
+  );
+  const decryptedFields = await handleSingleModelBulkOperation(
+    bulkDecryptPayload,
+    (items) => decryptBulk(client, {
+      ciphertexts: items,
+      unverifiedContext: auditData?.metadata
+    }),
+    keyMap
+  );
+  const result = { ...otherFields };
+  for (const [key, value] of Object.entries(nullFields)) {
+    const parts = key.split(".");
+    setNestedValue(result, parts, value);
+  }
+  for (const [key, value] of Object.entries(decryptedFields)) {
+    const parts = key.split(".");
+    setNestedValue(result, parts, value);
+  }
+  return result;
+}
+async function encryptModelFields(model, table, client, auditData) {
+  if (!client) {
+    throw new Error("Client not initialized");
+  }
+  const { otherFields, operationFields, keyMap, nullFields } = prepareFieldsForEncryption(model, table);
+  const bulkEncryptPayload = Object.entries(operationFields).map(
+    ([key, value]) => ({
+      id: key,
+      plaintext: value,
+      table: table.tableName,
+      column: key
+    })
+  );
+  const encryptedData = await handleSingleModelBulkOperation(
+    bulkEncryptPayload,
+    (items) => encryptBulk(client, {
+      plaintexts: items,
+      unverifiedContext: auditData?.metadata
+    }),
+    keyMap
+  );
+  const result = { ...otherFields };
+  for (const [key, value] of Object.entries(nullFields)) {
+    const parts = key.split(".");
+    setNestedValue(result, parts, value);
+  }
+  for (const [key, value] of Object.entries(encryptedData)) {
+    const parts = key.split(".");
+    setNestedValue(result, parts, value);
+  }
+  return result;
+}
+async function decryptModelFieldsWithLockContext(model, client, lockContext, auditData) {
+  if (!client) {
+    throw new Error("Client not initialized");
+  }
+  if (!lockContext) {
+    throw new Error("Lock context is not initialized");
+  }
+  const { otherFields, operationFields, keyMap, nullFields } = prepareFieldsForDecryption(model);
+  const bulkDecryptPayload = Object.entries(operationFields).map(
+    ([key, value]) => ({
+      id: key,
+      ciphertext: value,
+      lockContext: lockContext.context
+    })
+  );
+  const decryptedFields = await handleSingleModelBulkOperation(
+    bulkDecryptPayload,
+    (items) => decryptBulk(client, {
+      ciphertexts: items,
+      serviceToken: lockContext.ctsToken,
+      unverifiedContext: auditData?.metadata
+    }),
+    keyMap
+  );
+  const result = { ...otherFields };
+  for (const [key, value] of Object.entries(nullFields)) {
+    const parts = key.split(".");
+    setNestedValue(result, parts, value);
+  }
+  for (const [key, value] of Object.entries(decryptedFields)) {
+    const parts = key.split(".");
+    setNestedValue(result, parts, value);
+  }
+  return result;
+}
+async function encryptModelFieldsWithLockContext(model, table, client, lockContext, auditData) {
+  if (!client) {
+    throw new Error("Client not initialized");
+  }
+  if (!lockContext) {
+    throw new Error("Lock context is not initialized");
+  }
+  const { otherFields, operationFields, keyMap, nullFields } = prepareFieldsForEncryption(model, table);
+  const bulkEncryptPayload = Object.entries(operationFields).map(
+    ([key, value]) => ({
+      id: key,
+      plaintext: value,
+      table: table.tableName,
+      column: key,
+      lockContext: lockContext.context
+    })
+  );
+  const encryptedData = await handleSingleModelBulkOperation(
+    bulkEncryptPayload,
+    (items) => encryptBulk(client, {
+      plaintexts: items,
+      serviceToken: lockContext.ctsToken,
+      unverifiedContext: auditData?.metadata
+    }),
+    keyMap
+  );
+  const result = { ...otherFields };
+  for (const [key, value] of Object.entries(nullFields)) {
+    const parts = key.split(".");
+    setNestedValue(result, parts, value);
+  }
+  for (const [key, value] of Object.entries(encryptedData)) {
+    const parts = key.split(".");
+    setNestedValue(result, parts, value);
+  }
+  return result;
+}
+function prepareBulkModelsForOperation(models, table) {
+  const otherFields = [];
+  const operationFields = [];
+  const nullFields = [];
+  const keyMap = {};
+  let index = 0;
+  for (let modelIndex = 0; modelIndex < models.length; modelIndex++) {
+    const model = models[modelIndex];
+    const modelOtherFields = { ...model };
+    const modelOperationFields = {};
+    const modelNullFields = {};
+    const processNestedFields = (obj, prefix = "", columnPaths = []) => {
+      for (const [key, value] of Object.entries(obj)) {
+        const fullKey = prefix ? `${prefix}.${key}` : key;
+        if (value === null || value === void 0) {
+          modelNullFields[fullKey] = value;
+          continue;
+        }
+        if (typeof value === "object" && !isEncryptedPayload(value) && !columnPaths.includes(fullKey)) {
+          if (columnPaths.some((path) => path.startsWith(fullKey))) {
+            processNestedFields(
+              value,
+              fullKey,
+              columnPaths
+            );
+          }
+        } else if (columnPaths.includes(fullKey)) {
+          const id = index.toString();
+          keyMap[id] = { modelIndex, fieldKey: fullKey };
+          modelOperationFields[fullKey] = value;
+          index++;
+          const parts = fullKey.split(".");
+          let current = modelOtherFields;
+          for (let i = 0; i < parts.length - 1; i++) {
+            current = current[parts[i]];
+          }
+          delete current[parts[parts.length - 1]];
+        }
+      }
+    };
+    if (table) {
+      const columnPaths = Object.keys(table.build().columns);
+      processNestedFields(model, "", columnPaths);
+    } else {
+      const processEncryptedFields = (obj, prefix = "", columnPaths = []) => {
+        for (const [key, value] of Object.entries(obj)) {
+          const fullKey = prefix ? `${prefix}.${key}` : key;
+          if (value === null || value === void 0) {
+            modelNullFields[fullKey] = value;
+            continue;
+          }
+          if (typeof value === "object" && !isEncryptedPayload(value) && !columnPaths.includes(fullKey)) {
+            processEncryptedFields(
+              value,
+              fullKey,
+              columnPaths
+            );
+          } else if (isEncryptedPayload(value)) {
+            const id = index.toString();
+            keyMap[id] = { modelIndex, fieldKey: fullKey };
+            modelOperationFields[fullKey] = value;
+            index++;
+            const parts = fullKey.split(".");
+            let current = modelOtherFields;
+            for (let i = 0; i < parts.length - 1; i++) {
+              current = current[parts[i]];
+            }
+            delete current[parts[parts.length - 1]];
+          }
+        }
+      };
+      processEncryptedFields(model);
+    }
+    otherFields.push(modelOtherFields);
+    operationFields.push(modelOperationFields);
+    nullFields.push(modelNullFields);
+  }
+  return { otherFields, operationFields, keyMap, nullFields };
+}
+async function bulkEncryptModels(models, table, client, auditData) {
+  if (!client) {
+    throw new Error("Client not initialized");
+  }
+  if (!models || models.length === 0) {
+    return [];
+  }
+  const { otherFields, operationFields, keyMap, nullFields } = prepareBulkModelsForOperation(models, table);
+  const bulkEncryptPayload = operationFields.flatMap(
+    (fields, modelIndex) => Object.entries(fields).map(([key, value]) => ({
+      id: `${modelIndex}-${key}`,
+      plaintext: value,
+      table: table.tableName,
+      column: key
+    }))
+  );
+  const encryptedData = await handleMultiModelBulkOperation(
+    bulkEncryptPayload,
+    (items) => encryptBulk(client, {
+      plaintexts: items,
+      unverifiedContext: auditData?.metadata
+    }),
+    keyMap
+  );
+  return models.map((_, modelIndex) => {
+    const result = { ...otherFields[modelIndex] };
+    for (const [key, value] of Object.entries(nullFields[modelIndex])) {
+      const parts = key.split(".");
+      setNestedValue(result, parts, value);
+    }
+    const modelData = Object.fromEntries(
+      Object.entries(encryptedData).filter(([key]) => {
+        const [idx] = key.split("-");
+        return Number.parseInt(idx) === modelIndex;
+      }).map(([key, value]) => {
+        const [_2, fieldKey] = key.split("-");
+        return [fieldKey, value];
+      })
+    );
+    for (const [key, value] of Object.entries(modelData)) {
+      const parts = key.split(".");
+      setNestedValue(result, parts, value);
+    }
+    return result;
+  });
+}
+async function bulkDecryptModels(models, client, auditData) {
+  if (!client) {
+    throw new Error("Client not initialized");
+  }
+  if (!models || models.length === 0) {
+    return [];
+  }
+  const { otherFields, operationFields, keyMap, nullFields } = prepareBulkModelsForOperation(models);
+  const bulkDecryptPayload = operationFields.flatMap(
+    (fields, modelIndex) => Object.entries(fields).map(([key, value]) => ({
+      id: `${modelIndex}-${key}`,
+      ciphertext: value
+    }))
+  );
+  const decryptedFields = await handleMultiModelBulkOperation(
+    bulkDecryptPayload,
+    (items) => decryptBulk(client, {
+      ciphertexts: items,
+      unverifiedContext: auditData?.metadata
+    }),
+    keyMap
+  );
+  return models.map((_, modelIndex) => {
+    const result = { ...otherFields[modelIndex] };
+    for (const [key, value] of Object.entries(nullFields[modelIndex])) {
+      const parts = key.split(".");
+      setNestedValue(result, parts, value);
+    }
+    const modelData = Object.fromEntries(
+      Object.entries(decryptedFields).filter(([key]) => {
+        const [idx] = key.split("-");
+        return Number.parseInt(idx) === modelIndex;
+      }).map(([key, value]) => {
+        const [_2, fieldKey] = key.split("-");
+        return [fieldKey, value];
+      })
+    );
+    for (const [key, value] of Object.entries(modelData)) {
+      const parts = key.split(".");
+      setNestedValue(result, parts, value);
+    }
+    return result;
+  });
+}
+async function bulkDecryptModelsWithLockContext(models, client, lockContext, auditData) {
+  if (!client) {
+    throw new Error("Client not initialized");
+  }
+  if (!lockContext) {
+    throw new Error("Lock context is not initialized");
+  }
+  const { otherFields, operationFields, keyMap, nullFields } = prepareBulkModelsForOperation(models);
+  const bulkDecryptPayload = operationFields.flatMap(
+    (fields, modelIndex) => Object.entries(fields).map(([key, value]) => ({
+      id: `${modelIndex}-${key}`,
+      ciphertext: value,
+      lockContext: lockContext.context
+    }))
+  );
+  const decryptedFields = await handleMultiModelBulkOperation(
+    bulkDecryptPayload,
+    (items) => decryptBulk(client, {
+      ciphertexts: items,
+      serviceToken: lockContext.ctsToken,
+      unverifiedContext: auditData?.metadata
+    }),
+    keyMap
+  );
+  return models.map((_, modelIndex) => {
+    const result = { ...otherFields[modelIndex] };
+    for (const [key, value] of Object.entries(nullFields[modelIndex])) {
+      const parts = key.split(".");
+      setNestedValue(result, parts, value);
+    }
+    const modelData = Object.fromEntries(
+      Object.entries(decryptedFields).filter(([key]) => {
+        const [idx] = key.split("-");
+        return Number.parseInt(idx) === modelIndex;
+      }).map(([key, value]) => {
+        const [_2, fieldKey] = key.split("-");
+        return [fieldKey, value];
+      })
+    );
+    for (const [key, value] of Object.entries(modelData)) {
+      const parts = key.split(".");
+      setNestedValue(result, parts, value);
+    }
+    return result;
+  });
+}
+async function bulkEncryptModelsWithLockContext(models, table, client, lockContext, auditData) {
+  if (!client) {
+    throw new Error("Client not initialized");
+  }
+  if (!lockContext) {
+    throw new Error("Lock context is not initialized");
+  }
+  const { otherFields, operationFields, keyMap, nullFields } = prepareBulkModelsForOperation(models, table);
+  const bulkEncryptPayload = operationFields.flatMap(
+    (fields, modelIndex) => Object.entries(fields).map(([key, value]) => ({
+      id: `${modelIndex}-${key}`,
+      plaintext: value,
+      table: table.tableName,
+      column: key,
+      lockContext: lockContext.context
+    }))
+  );
+  const encryptedData = await handleMultiModelBulkOperation(
+    bulkEncryptPayload,
+    (items) => encryptBulk(client, {
+      plaintexts: items,
+      serviceToken: lockContext.ctsToken,
+      unverifiedContext: auditData?.metadata
+    }),
+    keyMap
+  );
+  return models.map((_, modelIndex) => {
+    const result = { ...otherFields[modelIndex] };
+    for (const [key, value] of Object.entries(nullFields[modelIndex])) {
+      const parts = key.split(".");
+      setNestedValue(result, parts, value);
+    }
+    const modelData = Object.fromEntries(
+      Object.entries(encryptedData).filter(([key]) => {
+        const [idx] = key.split("-");
+        return Number.parseInt(idx) === modelIndex;
+      }).map(([key, value]) => {
+        const [_2, fieldKey] = key.split("-");
+        return [fieldKey, value];
+      })
+    );
+    for (const [key, value] of Object.entries(modelData)) {
+      const parts = key.split(".");
+      setNestedValue(result, parts, value);
+    }
+    return result;
+  });
+}
+
+// src/encryption/ffi/operations/bulk-decrypt-models.ts
+var BulkDecryptModelsOperation = class extends EncryptionOperation {
+  client;
+  models;
+  constructor(client, models) {
+    super();
+    this.client = client;
+    this.models = models;
+  }
+  withLockContext(lockContext) {
+    return new BulkDecryptModelsOperationWithLockContext(this, lockContext);
+  }
+  async execute() {
+    const log = createRequestLogger();
+    log.set({
+      op: "bulkDecryptModels",
+      count: this.models.length,
+      lockContext: false
+    });
+    const result = await withResult3(
+      async () => {
+        if (!this.client) {
+          throw noClientError();
+        }
+        const auditData = this.getAuditData();
+        return await bulkDecryptModels(this.models, this.client, auditData);
+      },
+      (error) => {
+        log.set({ errorCode: getErrorCode(error) ?? "unknown" });
+        return {
+          type: EncryptionErrorTypes.DecryptionError,
+          message: error.message,
+          code: getErrorCode(error)
+        };
+      }
+    );
+    log.emit();
+    return result;
+  }
+  getOperation() {
+    return {
+      client: this.client,
+      models: this.models
+    };
+  }
+};
+var BulkDecryptModelsOperationWithLockContext = class extends EncryptionOperation {
+  operation;
+  lockContext;
+  constructor(operation, lockContext) {
+    super();
+    this.operation = operation;
+    this.lockContext = lockContext;
+    const auditData = operation.getAuditData();
+    if (auditData) {
+      this.audit(auditData);
+    }
+  }
+  async execute() {
+    const { client, models } = this.operation.getOperation();
+    const log = createRequestLogger();
+    log.set({
+      op: "bulkDecryptModels",
+      count: models.length,
+      lockContext: true
+    });
+    const result = await withResult3(
+      async () => {
+        if (!client) {
+          throw noClientError();
+        }
+        const context = await this.lockContext.getLockContext();
+        if (context.failure) {
+          throw new Error(`[encryption]: ${context.failure.message}`);
+        }
+        const auditData = this.getAuditData();
+        return await bulkDecryptModelsWithLockContext(
+          models,
+          client,
+          context.data,
+          auditData
+        );
+      },
+      (error) => {
+        log.set({ errorCode: getErrorCode(error) ?? "unknown" });
+        return {
+          type: EncryptionErrorTypes.DecryptionError,
+          message: error.message,
+          code: getErrorCode(error)
+        };
+      }
+    );
+    log.emit();
+    return result;
+  }
+};
+
+// src/encryption/ffi/operations/bulk-encrypt.ts
+import { withResult as withResult4 } from "@byteslice/result";
+import { encryptBulk as encryptBulk2 } from "@cipherstash/protect-ffi";
+var createEncryptPayloads = (plaintexts, column, table, lockContext) => {
+  return plaintexts.map((item, index) => ({ ...item, originalIndex: index })).filter(({ plaintext }) => plaintext !== null).map(({ id, plaintext, originalIndex }) => ({
+    id,
+    plaintext,
+    column: column.getName(),
+    table: table.tableName,
+    originalIndex,
+    ...lockContext && { lockContext }
+  }));
+};
+var createNullResult2 = (plaintexts) => {
+  return plaintexts.map(({ id }) => ({ id, data: null }));
+};
+var mapEncryptedDataToResult = (plaintexts, encryptedData) => {
+  const result = new Array(plaintexts.length);
+  let encryptedIndex = 0;
+  for (let i = 0; i < plaintexts.length; i++) {
+    if (plaintexts[i].plaintext === null) {
+      result[i] = { id: plaintexts[i].id, data: null };
+    } else {
+      result[i] = {
+        id: plaintexts[i].id,
+        data: encryptedData[encryptedIndex]
+      };
+      encryptedIndex++;
+    }
+  }
+  return result;
+};
+var BulkEncryptOperation = class extends EncryptionOperation {
+  client;
+  plaintexts;
+  column;
+  table;
+  constructor(client, plaintexts, opts) {
+    super();
+    this.client = client;
+    this.plaintexts = plaintexts;
+    this.column = opts.column;
+    this.table = opts.table;
+  }
+  withLockContext(lockContext) {
+    return new BulkEncryptOperationWithLockContext(this, lockContext);
+  }
+  async execute() {
+    const log = createRequestLogger();
+    log.set({
+      op: "bulkEncrypt",
+      table: this.table.tableName,
+      column: this.column.getName(),
+      count: this.plaintexts?.length ?? 0,
+      lockContext: false
+    });
+    const result = await withResult4(
+      async () => {
+        if (!this.client) {
+          throw noClientError();
+        }
+        if (!this.plaintexts || this.plaintexts.length === 0) {
+          return [];
+        }
+        const nonNullPayloads = createEncryptPayloads(
+          this.plaintexts,
+          this.column,
+          this.table
+        );
+        if (nonNullPayloads.length === 0) {
+          return createNullResult2(this.plaintexts);
+        }
+        const { metadata } = this.getAuditData();
+        const encryptedData = await encryptBulk2(this.client, {
+          plaintexts: nonNullPayloads,
+          unverifiedContext: metadata
+        });
+        return mapEncryptedDataToResult(this.plaintexts, encryptedData);
+      },
+      (error) => {
+        log.set({ errorCode: getErrorCode(error) ?? "unknown" });
+        return {
+          type: EncryptionErrorTypes.EncryptionError,
+          message: error.message,
+          code: getErrorCode(error)
+        };
+      }
+    );
+    log.emit();
+    return result;
+  }
+  getOperation() {
+    return {
+      client: this.client,
+      plaintexts: this.plaintexts,
+      column: this.column,
+      table: this.table
+    };
+  }
+};
+var BulkEncryptOperationWithLockContext = class extends EncryptionOperation {
+  operation;
+  lockContext;
+  constructor(operation, lockContext) {
+    super();
+    this.operation = operation;
+    this.lockContext = lockContext;
+    const auditData = operation.getAuditData();
+    if (auditData) {
+      this.audit(auditData);
+    }
+  }
+  async execute() {
+    const { client, plaintexts, column, table } = this.operation.getOperation();
+    const log = createRequestLogger();
+    log.set({
+      op: "bulkEncrypt",
+      table: table.tableName,
+      column: column.getName(),
+      count: plaintexts?.length ?? 0,
+      lockContext: true
+    });
+    const result = await withResult4(
+      async () => {
+        if (!client) {
+          throw noClientError();
+        }
+        if (!plaintexts || plaintexts.length === 0) {
+          return [];
+        }
+        const context = await this.lockContext.getLockContext();
+        if (context.failure) {
+          throw new Error(`[encryption]: ${context.failure.message}`);
+        }
+        const nonNullPayloads = createEncryptPayloads(
+          plaintexts,
+          column,
+          table,
+          context.data.context
+        );
+        if (nonNullPayloads.length === 0) {
+          return createNullResult2(plaintexts);
+        }
+        const { metadata } = this.getAuditData();
+        const encryptedData = await encryptBulk2(client, {
+          plaintexts: nonNullPayloads,
+          serviceToken: context.data.ctsToken,
+          unverifiedContext: metadata
+        });
+        return mapEncryptedDataToResult(plaintexts, encryptedData);
+      },
+      (error) => {
+        log.set({ errorCode: getErrorCode(error) ?? "unknown" });
+        return {
+          type: EncryptionErrorTypes.EncryptionError,
+          message: error.message,
+          code: getErrorCode(error)
+        };
+      }
+    );
+    log.emit();
+    return result;
+  }
+};
+
+// src/encryption/ffi/operations/bulk-encrypt-models.ts
+import { withResult as withResult5 } from "@byteslice/result";
+var BulkEncryptModelsOperation = class extends EncryptionOperation {
+  client;
+  models;
+  table;
+  constructor(client, models, table) {
+    super();
+    this.client = client;
+    this.models = models;
+    this.table = table;
+  }
+  withLockContext(lockContext) {
+    return new BulkEncryptModelsOperationWithLockContext(this, lockContext);
+  }
+  async execute() {
+    const log = createRequestLogger();
+    log.set({
+      op: "bulkEncryptModels",
+      table: this.table.tableName,
+      count: this.models.length,
+      lockContext: false
+    });
+    const result = await withResult5(
+      async () => {
+        if (!this.client) {
+          throw noClientError();
+        }
+        const auditData = this.getAuditData();
+        return await bulkEncryptModels(
+          this.models,
+          this.table,
+          this.client,
+          auditData
+        );
+      },
+      (error) => {
+        log.set({ errorCode: getErrorCode(error) ?? "unknown" });
+        return {
+          type: EncryptionErrorTypes.EncryptionError,
+          message: error.message,
+          code: getErrorCode(error)
+        };
+      }
+    );
+    log.emit();
+    return result;
+  }
+  getOperation() {
+    return {
+      client: this.client,
+      models: this.models,
+      table: this.table
+    };
+  }
+};
+var BulkEncryptModelsOperationWithLockContext = class extends EncryptionOperation {
+  operation;
+  lockContext;
+  constructor(operation, lockContext) {
+    super();
+    this.operation = operation;
+    this.lockContext = lockContext;
+    const auditData = operation.getAuditData();
+    if (auditData) {
+      this.audit(auditData);
+    }
+  }
+  async execute() {
+    const { client, models, table } = this.operation.getOperation();
+    const log = createRequestLogger();
+    log.set({
+      op: "bulkEncryptModels",
+      table: table.tableName,
+      count: models.length,
+      lockContext: true
+    });
+    const result = await withResult5(
+      async () => {
+        if (!client) {
+          throw noClientError();
+        }
+        const context = await this.lockContext.getLockContext();
+        if (context.failure) {
+          throw new Error(`[encryption]: ${context.failure.message}`);
+        }
+        const auditData = this.getAuditData();
+        return await bulkEncryptModelsWithLockContext(
+          models,
+          table,
+          client,
+          context.data,
+          auditData
+        );
+      },
+      (error) => {
+        log.set({ errorCode: getErrorCode(error) ?? "unknown" });
+        return {
+          type: EncryptionErrorTypes.EncryptionError,
+          message: error.message,
+          code: getErrorCode(error)
+        };
+      }
+    );
+    log.emit();
+    return result;
+  }
+};
+
+// src/encryption/ffi/operations/decrypt.ts
+import { withResult as withResult6 } from "@byteslice/result";
+import {
+  decrypt as ffiDecrypt
+} from "@cipherstash/protect-ffi";
+var DecryptOperation = class extends EncryptionOperation {
+  client;
+  encryptedData;
+  constructor(client, encryptedData) {
+    super();
+    this.client = client;
+    this.encryptedData = encryptedData;
+  }
+  withLockContext(lockContext) {
+    return new DecryptOperationWithLockContext(this, lockContext);
+  }
+  async execute() {
+    const log = createRequestLogger();
+    log.set({
+      op: "decrypt",
+      lockContext: false
+    });
+    const result = await withResult6(
+      async () => {
+        if (!this.client) {
+          throw noClientError();
+        }
+        if (this.encryptedData === null) {
+          return null;
+        }
+        const { metadata } = this.getAuditData();
+        return await ffiDecrypt(this.client, {
+          ciphertext: this.encryptedData,
+          unverifiedContext: metadata
+        });
+      },
+      (error) => {
+        log.set({ errorCode: getErrorCode(error) ?? "unknown" });
+        return {
+          type: EncryptionErrorTypes.DecryptionError,
+          message: error.message,
+          code: getErrorCode(error)
+        };
+      }
+    );
+    log.emit();
+    return result;
+  }
+  getOperation() {
+    return {
+      client: this.client,
+      encryptedData: this.encryptedData,
+      auditData: this.getAuditData()
+    };
+  }
+};
+var DecryptOperationWithLockContext = class extends EncryptionOperation {
+  operation;
+  lockContext;
+  constructor(operation, lockContext) {
+    super();
+    this.operation = operation;
+    this.lockContext = lockContext;
+    const auditData = operation.getAuditData();
+    if (auditData) {
+      this.audit(auditData);
+    }
+  }
+  async execute() {
+    const log = createRequestLogger();
+    log.set({
+      op: "decrypt",
+      lockContext: true
+    });
+    const result = await withResult6(
+      async () => {
+        const { client, encryptedData } = this.operation.getOperation();
+        if (!client) {
+          throw noClientError();
+        }
+        if (encryptedData === null) {
+          return null;
+        }
+        const { metadata } = this.getAuditData();
+        const context = await this.lockContext.getLockContext();
+        if (context.failure) {
+          throw new Error(`[encryption]: ${context.failure.message}`);
+        }
+        return await ffiDecrypt(client, {
+          ciphertext: encryptedData,
+          unverifiedContext: metadata,
+          lockContext: context.data.context,
+          serviceToken: context.data.ctsToken
+        });
+      },
+      (error) => {
+        log.set({ errorCode: getErrorCode(error) ?? "unknown" });
+        return {
+          type: EncryptionErrorTypes.DecryptionError,
+          message: error.message,
+          code: getErrorCode(error)
+        };
+      }
+    );
+    log.emit();
+    return result;
+  }
+};
+
+// src/encryption/ffi/operations/decrypt-model.ts
+import { withResult as withResult7 } from "@byteslice/result";
+var DecryptModelOperation = class extends EncryptionOperation {
+  client;
+  model;
+  constructor(client, model) {
+    super();
+    this.client = client;
+    this.model = model;
+  }
+  withLockContext(lockContext) {
+    return new DecryptModelOperationWithLockContext(this, lockContext);
+  }
+  async execute() {
+    const log = createRequestLogger();
+    log.set({
+      op: "decryptModel",
+      lockContext: false
+    });
+    const result = await withResult7(
+      async () => {
+        if (!this.client) {
+          throw noClientError();
+        }
+        const auditData = this.getAuditData();
+        return await decryptModelFields(this.model, this.client, auditData);
+      },
+      (error) => {
+        log.set({ errorCode: getErrorCode(error) ?? "unknown" });
+        return {
+          type: EncryptionErrorTypes.DecryptionError,
+          message: error.message,
+          code: getErrorCode(error)
+        };
+      }
+    );
+    log.emit();
+    return result;
+  }
+  getOperation() {
+    return {
+      client: this.client,
+      model: this.model
+    };
+  }
+};
+var DecryptModelOperationWithLockContext = class extends EncryptionOperation {
+  operation;
+  lockContext;
+  constructor(operation, lockContext) {
+    super();
+    this.operation = operation;
+    this.lockContext = lockContext;
+    const auditData = operation.getAuditData();
+    if (auditData) {
+      this.audit(auditData);
+    }
+  }
+  async execute() {
+    const log = createRequestLogger();
+    log.set({
+      op: "decryptModel",
+      lockContext: true
+    });
+    const result = await withResult7(
+      async () => {
+        const { client, model } = this.operation.getOperation();
+        if (!client) {
+          throw noClientError();
+        }
+        const context = await this.lockContext.getLockContext();
+        if (context.failure) {
+          throw new Error(`[encryption]: ${context.failure.message}`);
+        }
+        const auditData = this.getAuditData();
+        return await decryptModelFieldsWithLockContext(
+          model,
+          client,
+          context.data,
+          auditData
+        );
+      },
+      (error) => {
+        log.set({ errorCode: getErrorCode(error) ?? "unknown" });
+        return {
+          type: EncryptionErrorTypes.DecryptionError,
+          message: error.message,
+          code: getErrorCode(error)
+        };
+      }
+    );
+    log.emit();
+    return result;
+  }
+};
+
+// src/encryption/ffi/operations/encrypt.ts
+import { withResult as withResult8 } from "@byteslice/result";
+import {
+  encrypt as ffiEncrypt
+} from "@cipherstash/protect-ffi";
+var EncryptOperation = class extends EncryptionOperation {
+  client;
+  plaintext;
+  column;
+  table;
+  constructor(client, plaintext, opts) {
+    super();
+    this.client = client;
+    this.plaintext = plaintext;
+    this.column = opts.column;
+    this.table = opts.table;
+  }
+  withLockContext(lockContext) {
+    return new EncryptOperationWithLockContext(this, lockContext);
+  }
+  async execute() {
+    const log = createRequestLogger();
+    log.set({
+      op: "encrypt",
+      table: this.table.tableName,
+      column: this.column.getName(),
+      lockContext: false
+    });
+    const result = await withResult8(
+      async () => {
+        if (!this.client) {
+          throw noClientError();
+        }
+        if (this.plaintext === null) {
+          return null;
+        }
+        if (typeof this.plaintext === "number" && Number.isNaN(this.plaintext)) {
+          throw new Error("[encryption]: Cannot encrypt NaN value");
+        }
+        if (typeof this.plaintext === "number" && !Number.isFinite(this.plaintext)) {
+          throw new Error("[encryption]: Cannot encrypt Infinity value");
+        }
+        const { metadata } = this.getAuditData();
+        return await ffiEncrypt(this.client, {
+          plaintext: this.plaintext,
+          column: this.column.getName(),
+          table: this.table.tableName,
+          unverifiedContext: metadata
+        });
+      },
+      (error) => {
+        log.set({ errorCode: getErrorCode(error) ?? "unknown" });
+        return {
+          type: EncryptionErrorTypes.EncryptionError,
+          message: error.message,
+          code: getErrorCode(error)
+        };
+      }
+    );
+    log.emit();
+    return result;
+  }
+  getOperation() {
+    return {
+      client: this.client,
+      plaintext: this.plaintext,
+      column: this.column,
+      table: this.table
+    };
+  }
+};
+var EncryptOperationWithLockContext = class extends EncryptionOperation {
+  operation;
+  lockContext;
+  constructor(operation, lockContext) {
+    super();
+    this.operation = operation;
+    this.lockContext = lockContext;
+    const auditData = operation.getAuditData();
+    if (auditData) {
+      this.audit(auditData);
+    }
+  }
+  async execute() {
+    const { client, plaintext, column, table } = this.operation.getOperation();
+    const log = createRequestLogger();
+    log.set({
+      op: "encrypt",
+      table: table.tableName,
+      column: column.getName(),
+      lockContext: true
+    });
+    const result = await withResult8(
+      async () => {
+        if (!client) {
+          throw noClientError();
+        }
+        if (plaintext === null) {
+          return null;
+        }
+        const { metadata } = this.getAuditData();
+        const context = await this.lockContext.getLockContext();
+        if (context.failure) {
+          throw new Error(`[encryption]: ${context.failure.message}`);
+        }
+        return await ffiEncrypt(client, {
+          plaintext,
+          column: column.getName(),
+          table: table.tableName,
+          lockContext: context.data.context,
+          serviceToken: context.data.ctsToken,
+          unverifiedContext: metadata
+        });
+      },
+      (error) => {
+        log.set({ errorCode: getErrorCode(error) ?? "unknown" });
+        return {
+          type: EncryptionErrorTypes.EncryptionError,
+          message: error.message,
+          code: getErrorCode(error)
+        };
+      }
+    );
+    log.emit();
+    return result;
+  }
+};
+
+// src/encryption/ffi/operations/encrypt-model.ts
+import { withResult as withResult9 } from "@byteslice/result";
+var EncryptModelOperation = class extends EncryptionOperation {
+  client;
+  model;
+  table;
+  constructor(client, model, table) {
+    super();
+    this.client = client;
+    this.model = model;
+    this.table = table;
+  }
+  withLockContext(lockContext) {
+    return new EncryptModelOperationWithLockContext(this, lockContext);
+  }
+  async execute() {
+    const log = createRequestLogger();
+    log.set({
+      op: "encryptModel",
+      table: this.table.tableName,
+      lockContext: false
+    });
+    const result = await withResult9(
+      async () => {
+        if (!this.client) {
+          throw noClientError();
+        }
+        const auditData = this.getAuditData();
+        return await encryptModelFields(
+          this.model,
+          this.table,
+          this.client,
+          auditData
+        );
+      },
+      (error) => {
+        log.set({ errorCode: getErrorCode(error) ?? "unknown" });
+        return {
+          type: EncryptionErrorTypes.EncryptionError,
+          message: error.message,
+          code: getErrorCode(error)
+        };
+      }
+    );
+    log.emit();
+    return result;
+  }
+  getOperation() {
+    return {
+      client: this.client,
+      model: this.model,
+      table: this.table
+    };
+  }
+};
+var EncryptModelOperationWithLockContext = class extends EncryptionOperation {
+  operation;
+  lockContext;
+  constructor(operation, lockContext) {
+    super();
+    this.operation = operation;
+    this.lockContext = lockContext;
+    const auditData = operation.getAuditData();
+    if (auditData) {
+      this.audit(auditData);
+    }
+  }
+  async execute() {
+    const { client, model, table } = this.operation.getOperation();
+    const log = createRequestLogger();
+    log.set({
+      op: "encryptModel",
+      table: table.tableName,
+      lockContext: true
+    });
+    const result = await withResult9(
+      async () => {
+        if (!client) {
+          throw noClientError();
+        }
+        const context = await this.lockContext.getLockContext();
+        if (context.failure) {
+          throw new Error(`[encryption]: ${context.failure.message}`);
+        }
+        const auditData = this.getAuditData();
+        return await encryptModelFieldsWithLockContext(
+          model,
+          table,
+          client,
+          context.data,
+          auditData
+        );
+      },
+      (error) => {
+        log.set({ errorCode: getErrorCode(error) ?? "unknown" });
+        return {
+          type: EncryptionErrorTypes.EncryptionError,
+          message: error.message,
+          code: getErrorCode(error)
+        };
+      }
+    );
+    log.emit();
+    return result;
+  }
+};
+
+// src/encryption/ffi/operations/encrypt-query.ts
+import { withResult as withResult10 } from "@byteslice/result";
+import {
+  encryptQuery as ffiEncryptQuery
+} from "@cipherstash/protect-ffi";
+var EncryptQueryOperation = class extends EncryptionOperation {
+  constructor(client, plaintext, opts) {
+    super();
+    this.client = client;
+    this.plaintext = plaintext;
+    this.opts = opts;
+  }
+  withLockContext(lockContext) {
+    return new EncryptQueryOperationWithLockContext(
+      this.client,
+      this.plaintext,
+      this.opts,
+      lockContext,
+      this.auditMetadata
+    );
+  }
+  async execute() {
+    const log = createRequestLogger();
+    log.set({
+      op: "encryptQuery",
+      table: this.opts.table.tableName,
+      column: this.opts.column.getName(),
+      queryType: this.opts.queryType,
+      lockContext: false
+    });
+    if (this.plaintext === null || this.plaintext === void 0) {
+      log.emit();
+      return { data: null };
+    }
+    const validationError = validateNumericValue(this.plaintext);
+    if (validationError?.failure) {
+      log.emit();
+      return { failure: validationError.failure };
+    }
+    const result = await withResult10(
+      async () => {
+        if (!this.client) throw noClientError();
+        const { metadata } = this.getAuditData();
+        const { indexType, queryOp } = resolveIndexType(
+          this.opts.column,
+          this.opts.queryType,
+          this.plaintext
+        );
+        assertValueIndexCompatibility(
+          this.plaintext,
+          indexType,
+          this.opts.column.getName()
+        );
+        const encrypted = await ffiEncryptQuery(this.client, {
+          plaintext: this.plaintext,
+          column: this.opts.column.getName(),
+          table: this.opts.table.tableName,
+          indexType,
+          queryOp,
+          unverifiedContext: metadata
+        });
+        return formatEncryptedResult(encrypted, this.opts.returnType);
+      },
+      (error) => {
+        log.set({ errorCode: getErrorCode(error) ?? "unknown" });
+        return {
+          type: EncryptionErrorTypes.EncryptionError,
+          message: error.message,
+          code: getErrorCode(error)
+        };
+      }
+    );
+    log.emit();
+    return result;
+  }
+  getOperation() {
+    return { client: this.client, plaintext: this.plaintext, ...this.opts };
+  }
+};
+var EncryptQueryOperationWithLockContext = class extends EncryptionOperation {
+  constructor(client, plaintext, opts, lockContext, auditMetadata) {
+    super();
+    this.client = client;
+    this.plaintext = plaintext;
+    this.opts = opts;
+    this.lockContext = lockContext;
+    this.auditMetadata = auditMetadata;
+  }
+  async execute() {
+    const log = createRequestLogger();
+    log.set({
+      op: "encryptQuery",
+      table: this.opts.table.tableName,
+      column: this.opts.column.getName(),
+      queryType: this.opts.queryType,
+      lockContext: true
+    });
+    if (this.plaintext === null || this.plaintext === void 0) {
+      log.emit();
+      return { data: null };
+    }
+    const validationError = validateNumericValue(this.plaintext);
+    if (validationError?.failure) {
+      log.emit();
+      return { failure: validationError.failure };
+    }
+    const lockContextResult = await this.lockContext.getLockContext();
+    if (lockContextResult.failure) {
+      log.emit();
+      return { failure: lockContextResult.failure };
+    }
+    const { ctsToken, context } = lockContextResult.data;
+    const result = await withResult10(
+      async () => {
+        if (!this.client) throw noClientError();
+        const { metadata } = this.getAuditData();
+        const { indexType, queryOp } = resolveIndexType(
+          this.opts.column,
+          this.opts.queryType,
+          this.plaintext
+        );
+        assertValueIndexCompatibility(
+          this.plaintext,
+          indexType,
+          this.opts.column.getName()
+        );
+        const encrypted = await ffiEncryptQuery(this.client, {
+          plaintext: this.plaintext,
+          column: this.opts.column.getName(),
+          table: this.opts.table.tableName,
+          indexType,
+          queryOp,
+          lockContext: context,
+          serviceToken: ctsToken,
+          unverifiedContext: metadata
+        });
+        return formatEncryptedResult(encrypted, this.opts.returnType);
+      },
+      (error) => {
+        log.set({ errorCode: getErrorCode(error) ?? "unknown" });
+        return {
+          type: EncryptionErrorTypes.EncryptionError,
+          message: error.message,
+          code: getErrorCode(error)
+        };
+      }
+    );
+    log.emit();
+    return result;
+  }
+};
+
+// src/encryption/ffi/index.ts
+var noClientError = () => new Error(
+  "The EQL client has not been initialized. Please call init() before using the client."
+);
+var EncryptionClient = class {
+  client;
+  encryptConfig;
+  workspaceId;
+  constructor(workspaceCrn) {
+    const workspaceId = loadWorkSpaceId(workspaceCrn);
+    this.workspaceId = workspaceId;
+  }
+  /**
+   * Initializes the EncryptionClient with the provided configuration.
+   * @internal
+   * @param config - The configuration object for initializing the client.
+   * @returns A promise that resolves to a {@link Result} containing the initialized EncryptionClient or an {@link EncryptionError}.
+   **/
+  async init(config) {
+    return await withResult11(
+      async () => {
+        const validated = encryptConfigSchema.parse(
+          config.encryptConfig
+        );
+        logger.debug(
+          "Initializing the Protect.js client with the following encrypt config:",
+          {
+            encryptConfig: validated
+          }
+        );
+        this.client = await newClient({
+          encryptConfig: validated,
+          clientOpts: {
+            workspaceCrn: config.workspaceCrn,
+            accessKey: config.accessKey,
+            clientId: config.clientId,
+            clientKey: config.clientKey,
+            keyset: toFfiKeysetIdentifier(config.keyset)
+          }
+        });
+        this.encryptConfig = validated;
+        logger.debug("Successfully initialized the Protect.js client.");
+        return this;
+      },
+      (error) => ({
+        type: EncryptionErrorTypes.ClientInitError,
+        message: error.message
+      })
+    );
+  }
+  /**
+   * Encrypt a value - returns a promise which resolves to an encrypted value.
+   *
+   * @param plaintext - The plaintext value to be encrypted. Can be null.
+   * @param opts - Options specifying the column and table for encryption.
+   * @returns An EncryptOperation that can be awaited or chained with additional methods.
+   *
+   * @example
+   * The following example demonstrates how to encrypt a value using the Encryption client.
+   * It includes defining an encryption schema with {@link encryptedTable} and {@link encryptedColumn},
+   * initializing the client with {@link Encryption}, and performing the encryption.
+   *
+   * `encrypt` returns an {@link EncryptOperation} which can be awaited to get a {@link Result}
+   * which can either be the encrypted value or an {@link EncryptionError}.
+   *
+   * ```typescript
+   * // Define encryption schema
+   * import { Encryption } from "@cipherstash/stack"
+   * import { encryptedTable, encryptedColumn } from "@cipherstash/stack/schema"
+   * const userSchema = encryptedTable("users", {
+   *  email: encryptedColumn("email"),
+   * });
+   *
+   * // Initialize Encryption client
+   * const client = await Encryption({ schemas: [userSchema] })
+   *
+   * // Encrypt a value
+   * const encryptedResult = await client.encrypt(
+   *  "person@example.com",
+   *  { column: userSchema.email, table: userSchema }
+   * )
+   *
+   * // Handle encryption result
+   * if (encryptedResult.failure) {
+   *   throw new Error(`Encryption failed: ${encryptedResult.failure.message}`);
+   * }
+   *
+   * console.log("Encrypted data:", encryptedResult.data);
+   * ```
+   *
+   * @example
+   * When encrypting data, a {@link LockContext} can be provided to tie the encryption to a specific user or session.
+   * This ensures that the same lock context is required for decryption.
+   *
+   * The following example demonstrates how to create a lock context using a user's JWT token
+   * and use it during encryption.
+   *
+   * ```typescript
+   * // Define encryption schema and initialize client as above
+   *
+   * // Create a lock for the user's `sub` claim from their JWT
+   * const lc = new LockContext();
+   * const lockContext = await lc.identify(userJwt);
+   *
+   * if (lockContext.failure) {
+   *   // Handle the failure
+   * }
+   *
+   * // Encrypt a value with the lock context
+   * // Decryption will then require the same lock context
+   * const encryptedResult = await client.encrypt(
+   *  "person@example.com",
+   *  { column: userSchema.email, table: userSchema }
+   * )
+   *  .withLockContext(lockContext)
+   * ```
+   *
+   * @see {@link Result}
+   * @see {@link encryptedTable}
+   * @see {@link LockContext}
+   * @see {@link EncryptOperation}
+   */
+  encrypt(plaintext, opts) {
+    return new EncryptOperation(this.client, plaintext, opts);
+  }
+  encryptQuery(plaintextOrTerms, opts) {
+    if (isScalarQueryTermArray(plaintextOrTerms)) {
+      return new BatchEncryptQueryOperation(this.client, plaintextOrTerms);
+    }
+    if (Array.isArray(plaintextOrTerms) && plaintextOrTerms.length === 0 && !opts) {
+      return new BatchEncryptQueryOperation(
+        this.client,
+        []
+      );
+    }
+    if (!opts) {
+      throw new Error("EncryptQueryOptions are required");
+    }
+    return new EncryptQueryOperation(
+      this.client,
+      plaintextOrTerms,
+      opts
+    );
+  }
+  /**
+   * Decryption - returns a promise which resolves to a decrypted value.
+   *
+   * @param encryptedData - The encrypted data to be decrypted.
+   * @returns A DecryptOperation that can be awaited or chained with additional methods.
+   *
+   * @example
+   * The following example demonstrates how to decrypt a value that was previously encrypted using the {@link encrypt} method.
+   * It includes encrypting a value first, then decrypting it, and handling the result.
+   *
+   * ```typescript
+   * const encryptedData = await client.encrypt(
+   *  "person@example.com",
+   *  { column: "email", table: "users" }
+   * )
+   * const decryptResult = await client.decrypt(encryptedData)
+   * if (decryptResult.failure) {
+   *   throw new Error(`Decryption failed: ${decryptResult.failure.message}`);
+   * }
+   * console.log("Decrypted data:", decryptResult.data);
+   * ```
+   *
+   * @example
+   * Provide a lock context when decrypting:
+   * ```typescript
+   *    await client.decrypt(encryptedData)
+   *      .withLockContext(lockContext)
+   * ```
+   *
+   * @see {@link LockContext}
+   * @see {@link DecryptOperation}
+   */
+  decrypt(encryptedData) {
+    return new DecryptOperation(this.client, encryptedData);
+  }
+  /**
+   * Encrypt a model (object) based on the table schema.
+   *
+   * Only fields whose keys match columns defined in the table schema are encrypted.
+   * All other fields are passed through unchanged. Returns a thenable operation
+   * that supports `.withLockContext()` for identity-aware encryption.
+   *
+   * @param input - The model object with plaintext values to encrypt.
+   * @param table - The table schema defining which fields to encrypt.
+   * @returns An `EncryptModelOperation<T>` that can be awaited to get a `Result`
+   *   containing the model with encrypted fields, or an `EncryptionError`.
+   *
+   * @example
+   * ```typescript
+   * import { Encryption } from "@cipherstash/stack"
+   * import { encryptedTable, encryptedColumn } from "@cipherstash/stack/schema"
+   *
+   * type User = { id: string; email: string; createdAt: Date }
+   *
+   * const usersSchema = encryptedTable("users", {
+   *   email: encryptedColumn("email").equality(),
+   * })
+   *
+   * const client = await Encryption({ schemas: [usersSchema] })
+   *
+   * const result = await client.encryptModel<User>(
+   *   { id: "user_123", email: "alice@example.com", createdAt: new Date() },
+   *   usersSchema,
+   * )
+   *
+   * if (result.failure) {
+   *   console.error(result.failure.message)
+   * } else {
+   *   // result.data.id is unchanged, result.data.email is encrypted
+   *   console.log(result.data)
+   * }
+   * ```
+   */
+  encryptModel(input, table) {
+    return new EncryptModelOperation(this.client, input, table);
+  }
+  /**
+   * Decrypt a model (object) whose fields contain encrypted values.
+   *
+   * Identifies encrypted fields automatically and decrypts them, returning the
+   * model with plaintext values. Returns a thenable operation that supports
+   * `.withLockContext()` for identity-aware decryption.
+   *
+   * @param input - The model object with encrypted field values.
+   * @returns A `DecryptModelOperation<T>` that can be awaited to get a `Result`
+   *   containing the model with decrypted plaintext fields, or an `EncryptionError`.
+   *
+   * @example
+   * ```typescript
+   * // Decrypt a previously encrypted model
+   * const decrypted = await client.decryptModel<User>(encryptedUser)
+   *
+   * if (decrypted.failure) {
+   *   console.error(decrypted.failure.message)
+   * } else {
+   *   console.log(decrypted.data.email) // "alice@example.com"
+   * }
+   *
+   * // With a lock context
+   * const decrypted = await client
+   *   .decryptModel<User>(encryptedUser)
+   *   .withLockContext(lockContext)
+   * ```
+   */
+  decryptModel(input) {
+    return new DecryptModelOperation(this.client, input);
+  }
+  /**
+   * Encrypt multiple models (objects) in a single bulk operation.
+   *
+   * Performs a single call to ZeroKMS regardless of the number of models,
+   * while still using a unique key for each encrypted value. Only fields
+   * matching the table schema are encrypted; other fields pass through unchanged.
+   *
+   * @param input - An array of model objects with plaintext values to encrypt.
+   * @param table - The table schema defining which fields to encrypt.
+   * @returns A `BulkEncryptModelsOperation<T>` that can be awaited to get a `Result`
+   *   containing an array of models with encrypted fields, or an `EncryptionError`.
+   *
+   * @example
+   * ```typescript
+   * import { Encryption } from "@cipherstash/stack"
+   * import { encryptedTable, encryptedColumn } from "@cipherstash/stack/schema"
+   *
+   * type User = { id: string; email: string }
+   *
+   * const usersSchema = encryptedTable("users", {
+   *   email: encryptedColumn("email"),
+   * })
+   *
+   * const client = await Encryption({ schemas: [usersSchema] })
+   *
+   * const result = await client.bulkEncryptModels<User>(
+   *   [
+   *     { id: "1", email: "alice@example.com" },
+   *     { id: "2", email: "bob@example.com" },
+   *   ],
+   *   usersSchema,
+   * )
+   *
+   * if (!result.failure) {
+   *   console.log(result.data) // array of models with encrypted email fields
+   * }
+   * ```
+   */
+  bulkEncryptModels(input, table) {
+    return new BulkEncryptModelsOperation(this.client, input, table);
+  }
+  /**
+   * Decrypt multiple models (objects) in a single bulk operation.
+   *
+   * Performs a single call to ZeroKMS regardless of the number of models,
+   * restoring all encrypted fields to their original plaintext values.
+   *
+   * @param input - An array of model objects with encrypted field values.
+   * @returns A `BulkDecryptModelsOperation<T>` that can be awaited to get a `Result`
+   *   containing an array of models with decrypted plaintext fields, or an `EncryptionError`.
+   *
+   * @example
+   * ```typescript
+   * const encryptedUsers = encryptedResult.data // from bulkEncryptModels
+   *
+   * const result = await client.bulkDecryptModels<User>(encryptedUsers)
+   *
+   * if (!result.failure) {
+   *   for (const user of result.data) {
+   *     console.log(user.email) // plaintext email
+   *   }
+   * }
+   *
+   * // With a lock context
+   * const result = await client
+   *   .bulkDecryptModels<User>(encryptedUsers)
+   *   .withLockContext(lockContext)
+   * ```
+   */
+  bulkDecryptModels(input) {
+    return new BulkDecryptModelsOperation(this.client, input);
+  }
+  /**
+   * Encrypt multiple plaintext values in a single bulk operation.
+   *
+   * Each value is encrypted with its own unique key via a single call to ZeroKMS.
+   * Values can include optional `id` fields for correlating results back to
+   * your application data. Null plaintext values are preserved as null.
+   *
+   * @param plaintexts - An array of objects with `plaintext` (and optional `id`) fields.
+   * @param opts - Options specifying the target column and table for encryption.
+   * @returns A `BulkEncryptOperation` that can be awaited to get a `Result`
+   *   containing an array of `{ id?, data: Encrypted }` objects, or an `EncryptionError`.
+   *
+   * @example
+   * ```typescript
+   * import { Encryption } from "@cipherstash/stack"
+   * import { encryptedTable, encryptedColumn } from "@cipherstash/stack/schema"
+   *
+   * const users = encryptedTable("users", {
+   *   email: encryptedColumn("email"),
+   * })
+   * const client = await Encryption({ schemas: [users] })
+   *
+   * const result = await client.bulkEncrypt(
+   *   [
+   *     { id: "u1", plaintext: "alice@example.com" },
+   *     { id: "u2", plaintext: "bob@example.com" },
+   *     { id: "u3", plaintext: null },
+   *   ],
+   *   { column: users.email, table: users },
+   * )
+   *
+   * if (!result.failure) {
+   *   // result.data = [{ id: "u1", data: Encrypted }, { id: "u2", data: Encrypted }, ...]
+   *   console.log(result.data)
+   * }
+   * ```
+   */
+  bulkEncrypt(plaintexts, opts) {
+    return new BulkEncryptOperation(this.client, plaintexts, opts);
+  }
+  /**
+   * Decrypt multiple encrypted values in a single bulk operation.
+   *
+   * Performs a single call to ZeroKMS to decrypt all values. The result uses
+   * a multi-status pattern: each item in the returned array has either a `data`
+   * field (success) or an `error` field (failure), allowing graceful handling
+   * of partial failures.
+   *
+   * @param encryptedPayloads - An array of objects with `data` (encrypted payload) and optional `id` fields.
+   * @returns A `BulkDecryptOperation` that can be awaited to get a `Result`
+   *   containing an array of `{ id?, data: plaintext }` or `{ id?, error: string }` objects,
+   *   or an `EncryptionError` if the entire operation fails.
+   *
+   * @example
+   * ```typescript
+   * const encrypted = await client.bulkEncrypt(plaintexts, { column: users.email, table: users })
+   *
+   * const result = await client.bulkDecrypt(encrypted.data)
+   *
+   * if (!result.failure) {
+   *   for (const item of result.data) {
+   *     if ("data" in item) {
+   *       console.log(`${item.id}: ${item.data}`)
+   *     } else {
+   *       console.error(`${item.id} failed: ${item.error}`)
+   *     }
+   *   }
+   * }
+   * ```
+   */
+  bulkDecrypt(encryptedPayloads) {
+    return new BulkDecryptOperation(this.client, encryptedPayloads);
+  }
+  /** e.g., debugging or environment info */
+  clientInfo() {
+    return {
+      workspaceId: this.workspaceId
+    };
+  }
+};
+
+// src/index.ts
+function isValidUuid(uuid) {
+  const uuidRegex = /^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$/i;
+  return uuidRegex.test(uuid);
+}
+var Encryption = async (config) => {
+  if (config.logging) {
+    initStackLogger(config.logging);
+  }
+  const { schemas, config: clientConfig } = config;
+  if (!schemas.length) {
+    throw new Error(
+      "[encryption]: At least one encryptedTable must be provided to initialize the encryption client"
+    );
+  }
+  if (clientConfig?.keyset && "id" in clientConfig.keyset && !isValidUuid(clientConfig.keyset.id)) {
+    throw new Error(
+      "[encryption]: Invalid UUID provided for keyset id. Must be a valid UUID."
+    );
+  }
+  const client = new EncryptionClient(clientConfig?.workspaceCrn);
+  const encryptConfig = buildEncryptConfig(...schemas);
+  const result = await client.init({
+    encryptConfig,
+    ...clientConfig
+  });
+  if (result.failure) {
+    throw new Error(`[encryption]: ${result.failure.message}`);
+  }
+  return result.data;
+};
+
+export {
+  Encryption
+};
+//# sourceMappingURL=chunk-2GZMIJFO.js.map