@cipherstash/stack 0.1.0

package/dist/client-BxJG56Ey.d.cts

@@ -0,0 +1,647 @@
+import { j as EncryptedQueryResult, k as Client, S as ScalarQueryTerm, B as BulkDecryptedData, l as BulkDecryptPayload, D as Decrypted, m as BulkEncryptedData, n as BulkEncryptPayload, o as EncryptOptions, P as ProtectColumn, g as ProtectValue, d as ProtectTable, f as ProtectTableColumn, h as Encrypted, p as EncryptQueryOptions, Q as QueryTypeName, q as EncryptedReturnType, r as EncryptConfig, K as KeysetIdentifier } from './types-public-BCj1L4fi.cjs';
+import { a as EncryptionError, d as LockContext } from './index-9-Ya3fDK.cjs';
+import { Result } from '@byteslice/result';
+import { JsPlaintext } from '@cipherstash/protect-ffi';
+
+type AuditConfig = {
+    metadata?: Record<string, unknown>;
+};
+type AuditData = {
+    metadata?: Record<string, unknown>;
+};
+declare abstract class EncryptionOperation<T> {
+    protected auditMetadata?: Record<string, unknown>;
+    /**
+     * Attach audit metadata to this operation. Can be chained.
+     * @param config Configuration for ZeroKMS audit logging
+     * @param config.metadata Arbitrary JSON object for appending metadata to the audit log
+     */
+    audit(config: AuditConfig): this;
+    /**
+     * Get the audit data for this operation.
+     */
+    getAuditData(): AuditData;
+    /**
+     * Execute the operation and return a Result
+     */
+    abstract execute(): Promise<Result<T, EncryptionError>>;
+    /**
+     * Make the operation thenable
+     */
+    then<TResult1 = Result<T, EncryptionError>, TResult2 = never>(onfulfilled?: ((value: Result<T, EncryptionError>) => TResult1 | PromiseLike<TResult1>) | null, onrejected?: ((reason: unknown) => TResult2 | PromiseLike<TResult2>) | null): Promise<TResult1 | TResult2>;
+}
+
+/**
+ * @internal Use {@link EncryptionClient.encryptQuery} with array input instead.
+ */
+declare class BatchEncryptQueryOperation extends EncryptionOperation<EncryptedQueryResult[]> {
+    private client;
+    private terms;
+    constructor(client: Client, terms: readonly ScalarQueryTerm[]);
+    withLockContext(lockContext: LockContext): BatchEncryptQueryOperationWithLockContext;
+    execute(): Promise<Result<EncryptedQueryResult[], EncryptionError>>;
+}
+/**
+ * @internal Use {@link EncryptionClient.encryptQuery} with array input and `.withLockContext()` instead.
+ */
+declare class BatchEncryptQueryOperationWithLockContext extends EncryptionOperation<EncryptedQueryResult[]> {
+    private client;
+    private terms;
+    private lockContext;
+    constructor(client: Client, terms: readonly ScalarQueryTerm[], lockContext: LockContext, auditMetadata?: Record<string, unknown>);
+    execute(): Promise<Result<EncryptedQueryResult[], EncryptionError>>;
+}
+
+declare class BulkDecryptOperation extends EncryptionOperation<BulkDecryptedData> {
+    private client;
+    private encryptedPayloads;
+    constructor(client: Client, encryptedPayloads: BulkDecryptPayload);
+    withLockContext(lockContext: LockContext): BulkDecryptOperationWithLockContext;
+    execute(): Promise<Result<BulkDecryptedData, EncryptionError>>;
+    getOperation(): {
+        client: Client;
+        encryptedPayloads: BulkDecryptPayload;
+    };
+}
+declare class BulkDecryptOperationWithLockContext extends EncryptionOperation<BulkDecryptedData> {
+    private operation;
+    private lockContext;
+    constructor(operation: BulkDecryptOperation, lockContext: LockContext);
+    execute(): Promise<Result<BulkDecryptedData, EncryptionError>>;
+}
+
+declare class BulkDecryptModelsOperation<T extends Record<string, unknown>> extends EncryptionOperation<Decrypted<T>[]> {
+    private client;
+    private models;
+    constructor(client: Client, models: T[]);
+    withLockContext(lockContext: LockContext): BulkDecryptModelsOperationWithLockContext<T>;
+    execute(): Promise<Result<Decrypted<T>[], EncryptionError>>;
+    getOperation(): {
+        client: Client;
+        models: T[];
+    };
+}
+declare class BulkDecryptModelsOperationWithLockContext<T extends Record<string, unknown>> extends EncryptionOperation<Decrypted<T>[]> {
+    private operation;
+    private lockContext;
+    constructor(operation: BulkDecryptModelsOperation<T>, lockContext: LockContext);
+    execute(): Promise<Result<Decrypted<T>[], EncryptionError>>;
+}
+
+declare class BulkEncryptOperation extends EncryptionOperation<BulkEncryptedData> {
+    private client;
+    private plaintexts;
+    private column;
+    private table;
+    constructor(client: Client, plaintexts: BulkEncryptPayload, opts: EncryptOptions);
+    withLockContext(lockContext: LockContext): BulkEncryptOperationWithLockContext;
+    execute(): Promise<Result<BulkEncryptedData, EncryptionError>>;
+    getOperation(): {
+        client: Client;
+        plaintexts: BulkEncryptPayload;
+        column: ProtectColumn | ProtectValue;
+        table: ProtectTable<ProtectTableColumn>;
+    };
+}
+declare class BulkEncryptOperationWithLockContext extends EncryptionOperation<BulkEncryptedData> {
+    private operation;
+    private lockContext;
+    constructor(operation: BulkEncryptOperation, lockContext: LockContext);
+    execute(): Promise<Result<BulkEncryptedData, EncryptionError>>;
+}
+
+declare class BulkEncryptModelsOperation<T extends Record<string, unknown>> extends EncryptionOperation<T[]> {
+    private client;
+    private models;
+    private table;
+    constructor(client: Client, models: Decrypted<T>[], table: ProtectTable<ProtectTableColumn>);
+    withLockContext(lockContext: LockContext): BulkEncryptModelsOperationWithLockContext<T>;
+    execute(): Promise<Result<T[], EncryptionError>>;
+    getOperation(): {
+        client: Client;
+        models: Decrypted<T>[];
+        table: ProtectTable<ProtectTableColumn>;
+    };
+}
+declare class BulkEncryptModelsOperationWithLockContext<T extends Record<string, unknown>> extends EncryptionOperation<T[]> {
+    private operation;
+    private lockContext;
+    constructor(operation: BulkEncryptModelsOperation<T>, lockContext: LockContext);
+    execute(): Promise<Result<T[], EncryptionError>>;
+}
+
+/**
+ * Decrypts an encrypted payload using the provided client.
+ * This is the type returned by the {@link EncryptionClient.decrypt | decrypt} method of the {@link EncryptionClient}.
+ */
+declare class DecryptOperation extends EncryptionOperation<JsPlaintext | null> {
+    private client;
+    private encryptedData;
+    constructor(client: Client, encryptedData: Encrypted);
+    withLockContext(lockContext: LockContext): DecryptOperationWithLockContext;
+    execute(): Promise<Result<JsPlaintext | null, EncryptionError>>;
+    getOperation(): {
+        client: Client;
+        encryptedData: Encrypted;
+        auditData?: Record<string, unknown>;
+    };
+}
+declare class DecryptOperationWithLockContext extends EncryptionOperation<JsPlaintext | null> {
+    private operation;
+    private lockContext;
+    constructor(operation: DecryptOperation, lockContext: LockContext);
+    execute(): Promise<Result<JsPlaintext | null, EncryptionError>>;
+}
+
+declare class DecryptModelOperation<T extends Record<string, unknown>> extends EncryptionOperation<Decrypted<T>> {
+    private client;
+    private model;
+    constructor(client: Client, model: T);
+    withLockContext(lockContext: LockContext): DecryptModelOperationWithLockContext<T>;
+    execute(): Promise<Result<Decrypted<T>, EncryptionError>>;
+    getOperation(): {
+        client: Client;
+        model: T;
+    };
+}
+declare class DecryptModelOperationWithLockContext<T extends Record<string, unknown>> extends EncryptionOperation<Decrypted<T>> {
+    private operation;
+    private lockContext;
+    constructor(operation: DecryptModelOperation<T>, lockContext: LockContext);
+    execute(): Promise<Result<Decrypted<T>, EncryptionError>>;
+}
+
+declare class EncryptOperation extends EncryptionOperation<Encrypted> {
+    private client;
+    private plaintext;
+    private column;
+    private table;
+    constructor(client: Client, plaintext: JsPlaintext | null, opts: EncryptOptions);
+    withLockContext(lockContext: LockContext): EncryptOperationWithLockContext;
+    execute(): Promise<Result<Encrypted, EncryptionError>>;
+    getOperation(): {
+        client: Client;
+        plaintext: JsPlaintext | null;
+        column: ProtectColumn | ProtectValue;
+        table: ProtectTable<ProtectTableColumn>;
+    };
+}
+declare class EncryptOperationWithLockContext extends EncryptionOperation<Encrypted> {
+    private operation;
+    private lockContext;
+    constructor(operation: EncryptOperation, lockContext: LockContext);
+    execute(): Promise<Result<Encrypted, EncryptionError>>;
+}
+
+declare class EncryptModelOperation<T extends Record<string, unknown>> extends EncryptionOperation<T> {
+    private client;
+    private model;
+    private table;
+    constructor(client: Client, model: Decrypted<T>, table: ProtectTable<ProtectTableColumn>);
+    withLockContext(lockContext: LockContext): EncryptModelOperationWithLockContext<T>;
+    execute(): Promise<Result<T, EncryptionError>>;
+    getOperation(): {
+        client: Client;
+        model: Decrypted<T>;
+        table: ProtectTable<ProtectTableColumn>;
+    };
+}
+declare class EncryptModelOperationWithLockContext<T extends Record<string, unknown>> extends EncryptionOperation<T> {
+    private operation;
+    private lockContext;
+    constructor(operation: EncryptModelOperation<T>, lockContext: LockContext);
+    execute(): Promise<Result<T, EncryptionError>>;
+}
+
+/**
+ * @internal Use {@link EncryptionClient.encryptQuery} instead.
+ */
+declare class EncryptQueryOperation extends EncryptionOperation<EncryptedQueryResult> {
+    private client;
+    private plaintext;
+    private opts;
+    constructor(client: Client, plaintext: JsPlaintext | null, opts: EncryptQueryOptions);
+    withLockContext(lockContext: LockContext): EncryptQueryOperationWithLockContext;
+    execute(): Promise<Result<EncryptedQueryResult, EncryptionError>>;
+    getOperation(): {
+        column: ProtectColumn;
+        table: ProtectTable<ProtectTableColumn>;
+        queryType?: QueryTypeName;
+        returnType?: EncryptedReturnType;
+        client: Client;
+        plaintext: JsPlaintext | null;
+    };
+}
+/**
+ * @internal Use {@link EncryptionClient.encryptQuery} with `.withLockContext()` instead.
+ */
+declare class EncryptQueryOperationWithLockContext extends EncryptionOperation<EncryptedQueryResult> {
+    private client;
+    private plaintext;
+    private opts;
+    private lockContext;
+    constructor(client: Client, plaintext: JsPlaintext | null, opts: EncryptQueryOptions, lockContext: LockContext, auditMetadata?: Record<string, unknown>);
+    execute(): Promise<Result<EncryptedQueryResult, EncryptionError>>;
+}
+
+/** The EncryptionClient is the main entry point for interacting with the CipherStash Protect.js library.
+ * It provides methods for encrypting and decrypting individual values, as well as models (objects) and bulk operations.
+ *
+ * The client must be initialized using the {@link Encryption} function before it can be used.
+ */
+declare class EncryptionClient {
+    private client;
+    private encryptConfig;
+    private workspaceId;
+    constructor(workspaceCrn?: string);
+    /**
+     * Initializes the EncryptionClient with the provided configuration.
+     * @internal
+     * @param config - The configuration object for initializing the client.
+     * @returns A promise that resolves to a {@link Result} containing the initialized EncryptionClient or an {@link EncryptionError}.
+     **/
+    init(config: {
+        encryptConfig: EncryptConfig;
+        workspaceCrn?: string;
+        accessKey?: string;
+        clientId?: string;
+        clientKey?: string;
+        keyset?: KeysetIdentifier;
+    }): Promise<Result<EncryptionClient, EncryptionError>>;
+    /**
+     * Encrypt a value - returns a promise which resolves to an encrypted value.
+     *
+     * @param plaintext - The plaintext value to be encrypted. Can be null.
+     * @param opts - Options specifying the column and table for encryption.
+     * @returns An EncryptOperation that can be awaited or chained with additional methods.
+     *
+     * @example
+     * The following example demonstrates how to encrypt a value using the Encryption client.
+     * It includes defining an encryption schema with {@link encryptedTable} and {@link encryptedColumn},
+     * initializing the client with {@link Encryption}, and performing the encryption.
+     *
+     * `encrypt` returns an {@link EncryptOperation} which can be awaited to get a {@link Result}
+     * which can either be the encrypted value or an {@link EncryptionError}.
+     *
+     * ```typescript
+     * // Define encryption schema
+     * import { Encryption } from "@cipherstash/stack"
+     * import { encryptedTable, encryptedColumn } from "@cipherstash/stack/schema"
+     * const userSchema = encryptedTable("users", {
+     *  email: encryptedColumn("email"),
+     * });
+     *
+     * // Initialize Encryption client
+     * const client = await Encryption({ schemas: [userSchema] })
+     *
+     * // Encrypt a value
+     * const encryptedResult = await client.encrypt(
+     *  "person@example.com",
+     *  { column: userSchema.email, table: userSchema }
+     * )
+     *
+     * // Handle encryption result
+     * if (encryptedResult.failure) {
+     *   throw new Error(`Encryption failed: ${encryptedResult.failure.message}`);
+     * }
+     *
+     * console.log("Encrypted data:", encryptedResult.data);
+     * ```
+     *
+     * @example
+     * When encrypting data, a {@link LockContext} can be provided to tie the encryption to a specific user or session.
+     * This ensures that the same lock context is required for decryption.
+     *
+     * The following example demonstrates how to create a lock context using a user's JWT token
+     * and use it during encryption.
+     *
+     * ```typescript
+     * // Define encryption schema and initialize client as above
+     *
+     * // Create a lock for the user's `sub` claim from their JWT
+     * const lc = new LockContext();
+     * const lockContext = await lc.identify(userJwt);
+     *
+     * if (lockContext.failure) {
+     *   // Handle the failure
+     * }
+     *
+     * // Encrypt a value with the lock context
+     * // Decryption will then require the same lock context
+     * const encryptedResult = await client.encrypt(
+     *  "person@example.com",
+     *  { column: userSchema.email, table: userSchema }
+     * )
+     *  .withLockContext(lockContext)
+     * ```
+     *
+     * @see {@link Result}
+     * @see {@link encryptedTable}
+     * @see {@link LockContext}
+     * @see {@link EncryptOperation}
+     */
+    encrypt(plaintext: JsPlaintext | null, opts: EncryptOptions): EncryptOperation;
+    /**
+     * Encrypt a query value - returns a promise which resolves to an encrypted query value.
+     *
+     * @param plaintext - The plaintext value to be encrypted for querying. Can be null.
+     * @param opts - Options specifying the column, table, and optional queryType for encryption.
+     * @returns An EncryptQueryOperation that can be awaited or chained with additional methods.
+     *
+     * @example
+     * The following example demonstrates how to encrypt a query value using the Encryption client.
+     *
+     * ```typescript
+     * // Define encryption schema
+     * import { Encryption } from "@cipherstash/stack"
+     * import { encryptedTable, encryptedColumn } from "@cipherstash/stack/schema"
+     * const userSchema = encryptedTable("users", {
+     *  email: encryptedColumn("email").equality(),
+     * });
+     *
+     * // Initialize Encryption client
+     * const client = await Encryption({ schemas: [userSchema] })
+     *
+     * // Encrypt a query value
+     * const encryptedResult = await client.encryptQuery(
+     *  "person@example.com",
+     *  { column: userSchema.email, table: userSchema, queryType: 'equality' }
+     * )
+     *
+     * // Handle encryption result
+     * if (encryptedResult.failure) {
+     *   throw new Error(`Encryption failed: ${encryptedResult.failure.message}`);
+     * }
+     *
+     * console.log("Encrypted query:", encryptedResult.data);
+     * ```
+     *
+     * @example
+     * The queryType can be auto-inferred from the column's configured indexes:
+     *
+     * ```typescript
+     * // When queryType is omitted, it will be inferred from the column's indexes
+     * const encryptedResult = await client.encryptQuery(
+     *  "person@example.com",
+     *  { column: userSchema.email, table: userSchema }
+     * )
+     * ```
+     *
+     * @see {@link EncryptQueryOperation}
+     *
+     * **JSONB columns (searchableJson):**
+     * When `queryType` is omitted on a `searchableJson()` column, the query operation is inferred:
+     * - String plaintext → `steVecSelector` (JSONPath queries like `'$.user.email'`)
+     * - Object/Array plaintext → `steVecTerm` (containment queries like `{ role: 'admin' }`)
+     */
+    encryptQuery(plaintext: JsPlaintext | null, opts: EncryptQueryOptions): EncryptQueryOperation;
+    /**
+     * Encrypt multiple values for use in queries (batch operation).
+     * @param terms - Array of query terms to encrypt
+     */
+    encryptQuery(terms: readonly ScalarQueryTerm[]): BatchEncryptQueryOperation;
+    /**
+     * Decryption - returns a promise which resolves to a decrypted value.
+     *
+     * @param encryptedData - The encrypted data to be decrypted.
+     * @returns A DecryptOperation that can be awaited or chained with additional methods.
+     *
+     * @example
+     * The following example demonstrates how to decrypt a value that was previously encrypted using the {@link encrypt} method.
+     * It includes encrypting a value first, then decrypting it, and handling the result.
+     *
+     * ```typescript
+     * const encryptedData = await client.encrypt(
+     *  "person@example.com",
+     *  { column: "email", table: "users" }
+     * )
+     * const decryptResult = await client.decrypt(encryptedData)
+     * if (decryptResult.failure) {
+     *   throw new Error(`Decryption failed: ${decryptResult.failure.message}`);
+     * }
+     * console.log("Decrypted data:", decryptResult.data);
+     * ```
+     *
+     * @example
+     * Provide a lock context when decrypting:
+     * ```typescript
+     *    await client.decrypt(encryptedData)
+     *      .withLockContext(lockContext)
+     * ```
+     *
+     * @see {@link LockContext}
+     * @see {@link DecryptOperation}
+     */
+    decrypt(encryptedData: Encrypted): DecryptOperation;
+    /**
+     * Encrypt a model (object) based on the table schema.
+     *
+     * Only fields whose keys match columns defined in the table schema are encrypted.
+     * All other fields are passed through unchanged. Returns a thenable operation
+     * that supports `.withLockContext()` for identity-aware encryption.
+     *
+     * @param input - The model object with plaintext values to encrypt.
+     * @param table - The table schema defining which fields to encrypt.
+     * @returns An `EncryptModelOperation<T>` that can be awaited to get a `Result`
+     *   containing the model with encrypted fields, or an `EncryptionError`.
+     *
+     * @example
+     * ```typescript
+     * import { Encryption } from "@cipherstash/stack"
+     * import { encryptedTable, encryptedColumn } from "@cipherstash/stack/schema"
+     *
+     * type User = { id: string; email: string; createdAt: Date }
+     *
+     * const usersSchema = encryptedTable("users", {
+     *   email: encryptedColumn("email").equality(),
+     * })
+     *
+     * const client = await Encryption({ schemas: [usersSchema] })
+     *
+     * const result = await client.encryptModel<User>(
+     *   { id: "user_123", email: "alice@example.com", createdAt: new Date() },
+     *   usersSchema,
+     * )
+     *
+     * if (result.failure) {
+     *   console.error(result.failure.message)
+     * } else {
+     *   // result.data.id is unchanged, result.data.email is encrypted
+     *   console.log(result.data)
+     * }
+     * ```
+     */
+    encryptModel<T extends Record<string, unknown>>(input: Decrypted<T>, table: ProtectTable<ProtectTableColumn>): EncryptModelOperation<T>;
+    /**
+     * Decrypt a model (object) whose fields contain encrypted values.
+     *
+     * Identifies encrypted fields automatically and decrypts them, returning the
+     * model with plaintext values. Returns a thenable operation that supports
+     * `.withLockContext()` for identity-aware decryption.
+     *
+     * @param input - The model object with encrypted field values.
+     * @returns A `DecryptModelOperation<T>` that can be awaited to get a `Result`
+     *   containing the model with decrypted plaintext fields, or an `EncryptionError`.
+     *
+     * @example
+     * ```typescript
+     * // Decrypt a previously encrypted model
+     * const decrypted = await client.decryptModel<User>(encryptedUser)
+     *
+     * if (decrypted.failure) {
+     *   console.error(decrypted.failure.message)
+     * } else {
+     *   console.log(decrypted.data.email) // "alice@example.com"
+     * }
+     *
+     * // With a lock context
+     * const decrypted = await client
+     *   .decryptModel<User>(encryptedUser)
+     *   .withLockContext(lockContext)
+     * ```
+     */
+    decryptModel<T extends Record<string, unknown>>(input: T): DecryptModelOperation<T>;
+    /**
+     * Encrypt multiple models (objects) in a single bulk operation.
+     *
+     * Performs a single call to ZeroKMS regardless of the number of models,
+     * while still using a unique key for each encrypted value. Only fields
+     * matching the table schema are encrypted; other fields pass through unchanged.
+     *
+     * @param input - An array of model objects with plaintext values to encrypt.
+     * @param table - The table schema defining which fields to encrypt.
+     * @returns A `BulkEncryptModelsOperation<T>` that can be awaited to get a `Result`
+     *   containing an array of models with encrypted fields, or an `EncryptionError`.
+     *
+     * @example
+     * ```typescript
+     * import { Encryption } from "@cipherstash/stack"
+     * import { encryptedTable, encryptedColumn } from "@cipherstash/stack/schema"
+     *
+     * type User = { id: string; email: string }
+     *
+     * const usersSchema = encryptedTable("users", {
+     *   email: encryptedColumn("email"),
+     * })
+     *
+     * const client = await Encryption({ schemas: [usersSchema] })
+     *
+     * const result = await client.bulkEncryptModels<User>(
+     *   [
+     *     { id: "1", email: "alice@example.com" },
+     *     { id: "2", email: "bob@example.com" },
+     *   ],
+     *   usersSchema,
+     * )
+     *
+     * if (!result.failure) {
+     *   console.log(result.data) // array of models with encrypted email fields
+     * }
+     * ```
+     */
+    bulkEncryptModels<T extends Record<string, unknown>>(input: Array<Decrypted<T>>, table: ProtectTable<ProtectTableColumn>): BulkEncryptModelsOperation<T>;
+    /**
+     * Decrypt multiple models (objects) in a single bulk operation.
+     *
+     * Performs a single call to ZeroKMS regardless of the number of models,
+     * restoring all encrypted fields to their original plaintext values.
+     *
+     * @param input - An array of model objects with encrypted field values.
+     * @returns A `BulkDecryptModelsOperation<T>` that can be awaited to get a `Result`
+     *   containing an array of models with decrypted plaintext fields, or an `EncryptionError`.
+     *
+     * @example
+     * ```typescript
+     * const encryptedUsers = encryptedResult.data // from bulkEncryptModels
+     *
+     * const result = await client.bulkDecryptModels<User>(encryptedUsers)
+     *
+     * if (!result.failure) {
+     *   for (const user of result.data) {
+     *     console.log(user.email) // plaintext email
+     *   }
+     * }
+     *
+     * // With a lock context
+     * const result = await client
+     *   .bulkDecryptModels<User>(encryptedUsers)
+     *   .withLockContext(lockContext)
+     * ```
+     */
+    bulkDecryptModels<T extends Record<string, unknown>>(input: Array<T>): BulkDecryptModelsOperation<T>;
+    /**
+     * Encrypt multiple plaintext values in a single bulk operation.
+     *
+     * Each value is encrypted with its own unique key via a single call to ZeroKMS.
+     * Values can include optional `id` fields for correlating results back to
+     * your application data. Null plaintext values are preserved as null.
+     *
+     * @param plaintexts - An array of objects with `plaintext` (and optional `id`) fields.
+     * @param opts - Options specifying the target column and table for encryption.
+     * @returns A `BulkEncryptOperation` that can be awaited to get a `Result`
+     *   containing an array of `{ id?, data: Encrypted }` objects, or an `EncryptionError`.
+     *
+     * @example
+     * ```typescript
+     * import { Encryption } from "@cipherstash/stack"
+     * import { encryptedTable, encryptedColumn } from "@cipherstash/stack/schema"
+     *
+     * const users = encryptedTable("users", {
+     *   email: encryptedColumn("email"),
+     * })
+     * const client = await Encryption({ schemas: [users] })
+     *
+     * const result = await client.bulkEncrypt(
+     *   [
+     *     { id: "u1", plaintext: "alice@example.com" },
+     *     { id: "u2", plaintext: "bob@example.com" },
+     *     { id: "u3", plaintext: null },
+     *   ],
+     *   { column: users.email, table: users },
+     * )
+     *
+     * if (!result.failure) {
+     *   // result.data = [{ id: "u1", data: Encrypted }, { id: "u2", data: Encrypted }, ...]
+     *   console.log(result.data)
+     * }
+     * ```
+     */
+    bulkEncrypt(plaintexts: BulkEncryptPayload, opts: EncryptOptions): BulkEncryptOperation;
+    /**
+     * Decrypt multiple encrypted values in a single bulk operation.
+     *
+     * Performs a single call to ZeroKMS to decrypt all values. The result uses
+     * a multi-status pattern: each item in the returned array has either a `data`
+     * field (success) or an `error` field (failure), allowing graceful handling
+     * of partial failures.
+     *
+     * @param encryptedPayloads - An array of objects with `data` (encrypted payload) and optional `id` fields.
+     * @returns A `BulkDecryptOperation` that can be awaited to get a `Result`
+     *   containing an array of `{ id?, data: plaintext }` or `{ id?, error: string }` objects,
+     *   or an `EncryptionError` if the entire operation fails.
+     *
+     * @example
+     * ```typescript
+     * const encrypted = await client.bulkEncrypt(plaintexts, { column: users.email, table: users })
+     *
+     * const result = await client.bulkDecrypt(encrypted.data)
+     *
+     * if (!result.failure) {
+     *   for (const item of result.data) {
+     *     if ("data" in item) {
+     *       console.log(`${item.id}: ${item.data}`)
+     *     } else {
+     *       console.error(`${item.id} failed: ${item.error}`)
+     *     }
+     *   }
+     * }
+     * ```
+     */
+    bulkDecrypt(encryptedPayloads: BulkDecryptPayload): BulkDecryptOperation;
+    /** e.g., debugging or environment info */
+    clientInfo(): {
+        workspaceId: string | undefined;
+    };
+}
+
+export { type AuditConfig as A, EncryptionClient as E };