@cipherstash/stack 0.2.0 → 0.3.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +6 -0
- package/README.md +1 -2
- package/dist/bin/stash.js +63 -45
- package/dist/bin/stash.js.map +1 -1
- package/dist/{chunk-5G4F4JJG.js → chunk-JLI27P46.js} +1 -1
- package/dist/chunk-JLI27P46.js.map +1 -0
- package/dist/{chunk-LHZ6KZIG.js → chunk-MW6D52V2.js} +42 -31
- package/dist/chunk-MW6D52V2.js.map +1 -0
- package/dist/{chunk-5DCT6YU2.js → chunk-OAPLZLR5.js} +7 -3
- package/dist/{chunk-5DCT6YU2.js.map → chunk-OAPLZLR5.js.map} +1 -1
- package/dist/{chunk-7XRPN2KX.js → chunk-TBAIVO6T.js} +26 -23
- package/dist/chunk-TBAIVO6T.js.map +1 -0
- package/dist/{client-D-ZH8SB2.d.cts → client-Bf0Xw2xo.d.cts} +19 -16
- package/dist/{client-BV9pXC-d.d.ts → client-Kfp8OsPB.d.ts} +19 -16
- package/dist/client.cjs +25 -22
- package/dist/client.cjs.map +1 -1
- package/dist/client.d.cts +2 -2
- package/dist/client.d.ts +2 -2
- package/dist/client.js +5 -5
- package/dist/drizzle/index.cjs +19 -16
- package/dist/drizzle/index.cjs.map +1 -1
- package/dist/drizzle/index.d.cts +5 -5
- package/dist/drizzle/index.d.ts +5 -5
- package/dist/drizzle/index.js +2 -2
- package/dist/drizzle/index.js.map +1 -1
- package/dist/dynamodb/index.cjs.map +1 -1
- package/dist/dynamodb/index.d.cts +10 -10
- package/dist/dynamodb/index.d.ts +10 -10
- package/dist/dynamodb/index.js.map +1 -1
- package/dist/identity/index.cjs +6 -2
- package/dist/identity/index.cjs.map +1 -1
- package/dist/identity/index.js +1 -1
- package/dist/index.cjs +67 -49
- package/dist/index.cjs.map +1 -1
- package/dist/index.d.cts +3 -3
- package/dist/index.d.ts +3 -3
- package/dist/index.js +7 -7
- package/dist/schema/index.cjs +31 -28
- package/dist/schema/index.cjs.map +1 -1
- package/dist/schema/index.d.cts +1 -1
- package/dist/schema/index.d.ts +1 -1
- package/dist/schema/index.js +11 -11
- package/dist/secrets/index.cjs +63 -45
- package/dist/secrets/index.cjs.map +1 -1
- package/dist/secrets/index.d.cts +1 -1
- package/dist/secrets/index.d.ts +1 -1
- package/dist/secrets/index.js +4 -4
- package/dist/secrets/index.js.map +1 -1
- package/dist/supabase/index.cjs +7 -7
- package/dist/supabase/index.cjs.map +1 -1
- package/dist/supabase/index.d.cts +3 -3
- package/dist/supabase/index.d.ts +3 -3
- package/dist/supabase/index.js +3 -3
- package/dist/supabase/index.js.map +1 -1
- package/dist/{types-public-Dfg-hkuQ.d.cts → types-public-0CzBV45X.d.cts} +70 -52
- package/dist/{types-public-Dfg-hkuQ.d.ts → types-public-0CzBV45X.d.ts} +70 -52
- package/dist/types-public.cjs.map +1 -1
- package/dist/types-public.d.cts +1 -1
- package/dist/types-public.d.ts +1 -1
- package/dist/types-public.js +1 -1
- package/package.json +1 -1
- package/dist/chunk-5G4F4JJG.js.map +0 -1
- package/dist/chunk-7XRPN2KX.js.map +0 -1
- package/dist/chunk-LHZ6KZIG.js.map +0 -1
|
@@ -43,7 +43,7 @@ var encryptConfigSchema = z.object({
|
|
|
43
43
|
v: z.number(),
|
|
44
44
|
tables: tablesSchema
|
|
45
45
|
});
|
|
46
|
-
var
|
|
46
|
+
var EncryptedField = class {
|
|
47
47
|
valueName;
|
|
48
48
|
castAsValue;
|
|
49
49
|
constructor(valueName) {
|
|
@@ -51,20 +51,20 @@ var ProtectValue = class {
|
|
|
51
51
|
this.castAsValue = "string";
|
|
52
52
|
}
|
|
53
53
|
/**
|
|
54
|
-
* Set or override the plaintext data type for this
|
|
54
|
+
* Set or override the plaintext data type for this field.
|
|
55
55
|
*
|
|
56
56
|
* By default all values are treated as `'string'`. Use this method to specify
|
|
57
57
|
* a different type so the encryption layer knows how to encode the plaintext
|
|
58
58
|
* before encrypting.
|
|
59
59
|
*
|
|
60
60
|
* @param castAs - The plaintext data type: `'string'`, `'number'`, `'boolean'`, `'date'`, `'bigint'`, or `'json'`.
|
|
61
|
-
* @returns This `
|
|
61
|
+
* @returns This `EncryptedField` instance for method chaining.
|
|
62
62
|
*
|
|
63
63
|
* @example
|
|
64
64
|
* ```typescript
|
|
65
|
-
* import {
|
|
65
|
+
* import { encryptedField } from "@cipherstash/stack/schema"
|
|
66
66
|
*
|
|
67
|
-
* const age =
|
|
67
|
+
* const age = encryptedField("age").dataType("number")
|
|
68
68
|
* ```
|
|
69
69
|
*/
|
|
70
70
|
dataType(castAs) {
|
|
@@ -81,7 +81,7 @@ var ProtectValue = class {
|
|
|
81
81
|
return this.valueName;
|
|
82
82
|
}
|
|
83
83
|
};
|
|
84
|
-
var
|
|
84
|
+
var EncryptedColumn = class {
|
|
85
85
|
columnName;
|
|
86
86
|
castAsValue;
|
|
87
87
|
indexesValue = {};
|
|
@@ -97,7 +97,7 @@ var ProtectColumn = class {
|
|
|
97
97
|
* before encrypting.
|
|
98
98
|
*
|
|
99
99
|
* @param castAs - The plaintext data type: `'string'`, `'number'`, `'boolean'`, `'date'`, `'bigint'`, or `'json'`.
|
|
100
|
-
* @returns This `
|
|
100
|
+
* @returns This `EncryptedColumn` instance for method chaining.
|
|
101
101
|
*
|
|
102
102
|
* @example
|
|
103
103
|
* ```typescript
|
|
@@ -116,7 +116,7 @@ var ProtectColumn = class {
|
|
|
116
116
|
* ORE allows sorting, comparison, and range queries on encrypted data.
|
|
117
117
|
* Use with `encryptQuery` and `queryType: 'orderAndRange'`.
|
|
118
118
|
*
|
|
119
|
-
* @returns This `
|
|
119
|
+
* @returns This `EncryptedColumn` instance for method chaining.
|
|
120
120
|
*
|
|
121
121
|
* @example
|
|
122
122
|
* ```typescript
|
|
@@ -139,7 +139,7 @@ var ProtectColumn = class {
|
|
|
139
139
|
*
|
|
140
140
|
* @param tokenFilters - Optional array of token filters (e.g. `[{ kind: 'downcase' }]`).
|
|
141
141
|
* When omitted, no token filters are applied.
|
|
142
|
-
* @returns This `
|
|
142
|
+
* @returns This `EncryptedColumn` instance for method chaining.
|
|
143
143
|
*
|
|
144
144
|
* @example
|
|
145
145
|
* ```typescript
|
|
@@ -164,7 +164,7 @@ var ProtectColumn = class {
|
|
|
164
164
|
*
|
|
165
165
|
* @param opts - Optional match index configuration. Defaults to 3-character ngram
|
|
166
166
|
* tokenization with a downcase filter, `k=6`, `m=2048`, and `include_original=true`.
|
|
167
|
-
* @returns This `
|
|
167
|
+
* @returns This `EncryptedColumn` instance for method chaining.
|
|
168
168
|
*
|
|
169
169
|
* @example
|
|
170
170
|
* ```typescript
|
|
@@ -209,7 +209,7 @@ var ProtectColumn = class {
|
|
|
209
209
|
* the plaintext type: strings become selector queries, objects/arrays become
|
|
210
210
|
* containment queries.
|
|
211
211
|
*
|
|
212
|
-
* @returns This `
|
|
212
|
+
* @returns This `EncryptedColumn` instance for method chaining.
|
|
213
213
|
*
|
|
214
214
|
* @example
|
|
215
215
|
* ```typescript
|
|
@@ -235,7 +235,7 @@ var ProtectColumn = class {
|
|
|
235
235
|
return this.columnName;
|
|
236
236
|
}
|
|
237
237
|
};
|
|
238
|
-
var
|
|
238
|
+
var EncryptedTable = class {
|
|
239
239
|
constructor(tableName, columnBuilders) {
|
|
240
240
|
this.tableName = tableName;
|
|
241
241
|
this.columnBuilders = columnBuilders;
|
|
@@ -262,7 +262,7 @@ var ProtectTable = class {
|
|
|
262
262
|
build() {
|
|
263
263
|
const builtColumns = {};
|
|
264
264
|
const processColumn = (builder, colName) => {
|
|
265
|
-
if (builder instanceof
|
|
265
|
+
if (builder instanceof EncryptedColumn) {
|
|
266
266
|
const builtColumn = builder.build();
|
|
267
267
|
if (builtColumn.cast_as === "json" && builtColumn.indexes.ste_vec?.prefix === "enabled") {
|
|
268
268
|
builtColumns[colName] = {
|
|
@@ -279,7 +279,7 @@ var ProtectTable = class {
|
|
|
279
279
|
}
|
|
280
280
|
} else {
|
|
281
281
|
for (const [key, value] of Object.entries(builder)) {
|
|
282
|
-
if (value instanceof
|
|
282
|
+
if (value instanceof EncryptedField) {
|
|
283
283
|
builtColumns[value.getName()] = value.build();
|
|
284
284
|
} else {
|
|
285
285
|
processColumn(value, key);
|
|
@@ -297,7 +297,10 @@ var ProtectTable = class {
|
|
|
297
297
|
}
|
|
298
298
|
};
|
|
299
299
|
function encryptedTable(tableName, columns) {
|
|
300
|
-
const tableBuilder = new
|
|
300
|
+
const tableBuilder = new EncryptedTable(
|
|
301
|
+
tableName,
|
|
302
|
+
columns
|
|
303
|
+
);
|
|
301
304
|
for (const [colName, colBuilder] of Object.entries(columns)) {
|
|
302
305
|
;
|
|
303
306
|
tableBuilder[colName] = colBuilder;
|
|
@@ -305,10 +308,10 @@ function encryptedTable(tableName, columns) {
|
|
|
305
308
|
return tableBuilder;
|
|
306
309
|
}
|
|
307
310
|
function encryptedColumn(columnName) {
|
|
308
|
-
return new
|
|
311
|
+
return new EncryptedColumn(columnName);
|
|
309
312
|
}
|
|
310
|
-
function
|
|
311
|
-
return new
|
|
313
|
+
function encryptedField(valueName) {
|
|
314
|
+
return new EncryptedField(valueName);
|
|
312
315
|
}
|
|
313
316
|
function buildEncryptConfig(...protectTables) {
|
|
314
317
|
const config = {
|
|
@@ -325,12 +328,12 @@ function buildEncryptConfig(...protectTables) {
|
|
|
325
328
|
export {
|
|
326
329
|
castAsEnum,
|
|
327
330
|
encryptConfigSchema,
|
|
328
|
-
|
|
329
|
-
|
|
330
|
-
|
|
331
|
+
EncryptedField,
|
|
332
|
+
EncryptedColumn,
|
|
333
|
+
EncryptedTable,
|
|
331
334
|
encryptedTable,
|
|
332
335
|
encryptedColumn,
|
|
333
|
-
|
|
336
|
+
encryptedField,
|
|
334
337
|
buildEncryptConfig
|
|
335
338
|
};
|
|
336
|
-
//# sourceMappingURL=chunk-
|
|
339
|
+
//# sourceMappingURL=chunk-TBAIVO6T.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"sources":["../src/schema/index.ts"],"sourcesContent":["import type { Encrypted } from '@/types'\nimport { z } from 'zod'\n\n// ------------------------\n// Zod schemas\n// ------------------------\n\n/**\n * Allowed cast types for CipherStash schema fields.\n *\n * **Possible values:**\n * - `\"bigint\"`\n * - `\"boolean\"`\n * - `\"date\"`\n * - `\"number\"`\n * - `\"string\"`\n * - `\"json\"`\n *\n * @remarks\n * This is a Zod enum used at runtime to validate schema definitions.\n * Use {@link CastAs} when typing your own code.\n *\n * @internal\n */\nexport const castAsEnum = z\n .enum(['bigint', 'boolean', 'date', 'number', 'string', 'json'])\n .default('string')\n\nconst tokenFilterSchema = z.object({\n kind: z.literal('downcase'),\n})\n\nconst tokenizerSchema = z\n .union([\n z.object({\n kind: z.literal('standard'),\n }),\n z.object({\n kind: z.literal('ngram'),\n token_length: z.number(),\n }),\n ])\n .default({ kind: 'ngram', token_length: 3 })\n .optional()\n\nconst oreIndexOptsSchema = z.object({})\n\nconst uniqueIndexOptsSchema = z.object({\n token_filters: z.array(tokenFilterSchema).default([]).optional(),\n})\n\nconst matchIndexOptsSchema = z.object({\n tokenizer: tokenizerSchema,\n token_filters: z.array(tokenFilterSchema).default([]).optional(),\n k: z.number().default(6).optional(),\n m: z.number().default(2048).optional(),\n include_original: z.boolean().default(false).optional(),\n})\n\nconst steVecIndexOptsSchema = z.object({\n prefix: z.string(),\n})\n\nconst indexesSchema = z\n .object({\n ore: oreIndexOptsSchema.optional(),\n unique: uniqueIndexOptsSchema.optional(),\n match: matchIndexOptsSchema.optional(),\n ste_vec: steVecIndexOptsSchema.optional(),\n })\n .default({})\n\nconst columnSchema = z\n .object({\n cast_as: castAsEnum,\n indexes: indexesSchema,\n })\n .default({})\n\nconst tableSchema = z.record(columnSchema).default({})\n\nconst tablesSchema = z.record(tableSchema).default({})\n\n/** @internal */\nexport const encryptConfigSchema = z.object({\n v: z.number(),\n tables: tablesSchema,\n})\n\n// ------------------------\n// Type definitions\n// ------------------------\n\n/**\n * Type-safe alias for {@link castAsEnum} used to specify the *unencrypted* data type of a column or value.\n * This is important because once encrypted, all data is stored as binary blobs.\n *\n * @see {@link castAsEnum} for possible values.\n */\nexport type CastAs = z.infer<typeof castAsEnum>\nexport type TokenFilter = z.infer<typeof tokenFilterSchema>\nexport type MatchIndexOpts = z.infer<typeof matchIndexOptsSchema>\nexport type SteVecIndexOpts = z.infer<typeof steVecIndexOptsSchema>\nexport type UniqueIndexOpts = z.infer<typeof uniqueIndexOptsSchema>\nexport type OreIndexOpts = z.infer<typeof oreIndexOptsSchema>\nexport type ColumnSchema = z.infer<typeof columnSchema>\n\n/**\n * Shape of table columns: either top-level {@link EncryptedColumn} or nested\n * objects whose leaves are {@link EncryptedField}. Used with {@link encryptedTable}.\n */\nexport type EncryptedTableColumn = {\n [key: string]:\n | EncryptedColumn\n | {\n [key: string]:\n | EncryptedField\n | {\n [key: string]:\n | EncryptedField\n | {\n [key: string]: EncryptedField\n }\n }\n }\n}\nexport type EncryptConfig = z.infer<typeof encryptConfigSchema>\n\n// ------------------------\n// Interface definitions\n// ------------------------\n\n/**\n * Builder for a nested encrypted field (encrypted but not searchable).\n * Create with {@link encryptedField}. Use inside nested objects in {@link encryptedTable};\n * supports `.dataType()` for plaintext type. No index methods (equality, orderAndRange, etc.).\n */\nexport class EncryptedField {\n private valueName: string\n private castAsValue: CastAs\n\n constructor(valueName: string) {\n this.valueName = valueName\n this.castAsValue = 'string'\n }\n\n /**\n * Set or override the plaintext data type for this field.\n *\n * By default all values are treated as `'string'`. Use this method to specify\n * a different type so the encryption layer knows how to encode the plaintext\n * before encrypting.\n *\n * @param castAs - The plaintext data type: `'string'`, `'number'`, `'boolean'`, `'date'`, `'bigint'`, or `'json'`.\n * @returns This `EncryptedField` instance for method chaining.\n *\n * @example\n * ```typescript\n * import { encryptedField } from \"@cipherstash/stack/schema\"\n *\n * const age = encryptedField(\"age\").dataType(\"number\")\n * ```\n */\n dataType(castAs: CastAs) {\n this.castAsValue = castAs\n return this\n }\n\n build() {\n return {\n cast_as: this.castAsValue,\n indexes: {},\n }\n }\n\n getName() {\n return this.valueName\n }\n}\n\nexport class EncryptedColumn {\n private columnName: string\n private castAsValue: CastAs\n private indexesValue: {\n ore?: OreIndexOpts\n unique?: UniqueIndexOpts\n match?: Required<MatchIndexOpts>\n ste_vec?: SteVecIndexOpts\n } = {}\n\n constructor(columnName: string) {\n this.columnName = columnName\n this.castAsValue = 'string'\n }\n\n /**\n * Set or override the plaintext data type for this column.\n *\n * By default all columns are treated as `'string'`. Use this method to specify\n * a different type so the encryption layer knows how to encode the plaintext\n * before encrypting.\n *\n * @param castAs - The plaintext data type: `'string'`, `'number'`, `'boolean'`, `'date'`, `'bigint'`, or `'json'`.\n * @returns This `EncryptedColumn` instance for method chaining.\n *\n * @example\n * ```typescript\n * import { encryptedColumn } from \"@cipherstash/stack/schema\"\n *\n * const dateOfBirth = encryptedColumn(\"date_of_birth\").dataType(\"date\")\n * ```\n */\n dataType(castAs: CastAs) {\n this.castAsValue = castAs\n return this\n }\n\n /**\n * Enable Order-Revealing Encryption (ORE) indexing on this column.\n *\n * ORE allows sorting, comparison, and range queries on encrypted data.\n * Use with `encryptQuery` and `queryType: 'orderAndRange'`.\n *\n * @returns This `EncryptedColumn` instance for method chaining.\n *\n * @example\n * ```typescript\n * import { encryptedTable, encryptedColumn } from \"@cipherstash/stack/schema\"\n *\n * const users = encryptedTable(\"users\", {\n * email: encryptedColumn(\"email\").orderAndRange(),\n * })\n * ```\n */\n orderAndRange() {\n this.indexesValue.ore = {}\n return this\n }\n\n /**\n * Enable an exact-match (unique) index on this column.\n *\n * Allows equality queries on encrypted data. Use with `encryptQuery`\n * and `queryType: 'equality'`.\n *\n * @param tokenFilters - Optional array of token filters (e.g. `[{ kind: 'downcase' }]`).\n * When omitted, no token filters are applied.\n * @returns This `EncryptedColumn` instance for method chaining.\n *\n * @example\n * ```typescript\n * import { encryptedTable, encryptedColumn } from \"@cipherstash/stack/schema\"\n *\n * const users = encryptedTable(\"users\", {\n * email: encryptedColumn(\"email\").equality(),\n * })\n * ```\n */\n equality(tokenFilters?: TokenFilter[]) {\n this.indexesValue.unique = {\n token_filters: tokenFilters ?? [],\n }\n return this\n }\n\n /**\n * Enable a full-text / fuzzy search (match) index on this column.\n *\n * Uses n-gram tokenization by default for substring and fuzzy matching.\n * Use with `encryptQuery` and `queryType: 'freeTextSearch'`.\n *\n * @param opts - Optional match index configuration. Defaults to 3-character ngram\n * tokenization with a downcase filter, `k=6`, `m=2048`, and `include_original=true`.\n * @returns This `EncryptedColumn` instance for method chaining.\n *\n * @example\n * ```typescript\n * import { encryptedTable, encryptedColumn } from \"@cipherstash/stack/schema\"\n *\n * const users = encryptedTable(\"users\", {\n * email: encryptedColumn(\"email\").freeTextSearch(),\n * })\n *\n * // With custom options\n * const posts = encryptedTable(\"posts\", {\n * body: encryptedColumn(\"body\").freeTextSearch({\n * tokenizer: { kind: \"ngram\", token_length: 4 },\n * k: 8,\n * m: 4096,\n * }),\n * })\n * ```\n */\n freeTextSearch(opts?: MatchIndexOpts) {\n // Provide defaults\n this.indexesValue.match = {\n tokenizer: opts?.tokenizer ?? { kind: 'ngram', token_length: 3 },\n token_filters: opts?.token_filters ?? [\n {\n kind: 'downcase',\n },\n ],\n k: opts?.k ?? 6,\n m: opts?.m ?? 2048,\n include_original: opts?.include_original ?? true,\n }\n return this\n }\n\n /**\n * Configure this column for searchable encrypted JSON (STE-Vec).\n *\n * Enables encrypted JSONPath selector queries (e.g. `'$.user.email'`) and\n * containment queries (e.g. `{ role: 'admin' }`). Automatically sets the\n * data type to `'json'`.\n *\n * When used with `encryptQuery`, the query operation is auto-inferred from\n * the plaintext type: strings become selector queries, objects/arrays become\n * containment queries.\n *\n * @returns This `EncryptedColumn` instance for method chaining.\n *\n * @example\n * ```typescript\n * import { encryptedTable, encryptedColumn } from \"@cipherstash/stack/schema\"\n *\n * const documents = encryptedTable(\"documents\", {\n * metadata: encryptedColumn(\"metadata\").searchableJson(),\n * })\n * ```\n */\n searchableJson() {\n this.castAsValue = 'json'\n this.indexesValue.ste_vec = { prefix: 'enabled' }\n return this\n }\n\n build() {\n return {\n cast_as: this.castAsValue,\n indexes: this.indexesValue,\n }\n }\n\n getName() {\n return this.columnName\n }\n}\n\ninterface TableDefinition {\n tableName: string\n columns: Record<string, ColumnSchema>\n}\n\nexport class EncryptedTable<T extends EncryptedTableColumn> {\n /** @internal Type-level brand so TypeScript can infer `T` from `EncryptedTable<T>`. */\n declare readonly _columnType: T\n\n constructor(\n public readonly tableName: string,\n private readonly columnBuilders: T,\n ) {}\n\n /**\n * Compile this table schema into a `TableDefinition` used internally by the encryption client.\n *\n * Iterates over all column builders, calls `.build()` on each, and assembles\n * the final `{ tableName, columns }` structure. For `searchableJson()` columns,\n * the STE-Vec prefix is automatically set to `\"<tableName>/<columnName>\"`.\n *\n * @returns A `TableDefinition` containing the table name and built column configs.\n *\n * @example\n * ```typescript\n * const users = encryptedTable(\"users\", {\n * email: encryptedColumn(\"email\").equality(),\n * })\n *\n * const definition = users.build()\n * // { tableName: \"users\", columns: { email: { cast_as: \"string\", indexes: { unique: ... } } } }\n * ```\n */\n build(): TableDefinition {\n const builtColumns: Record<string, ColumnSchema> = {}\n\n const processColumn = (\n builder:\n | EncryptedColumn\n | Record<\n string,\n | EncryptedField\n | Record<\n string,\n | EncryptedField\n | Record<\n string,\n EncryptedField | Record<string, EncryptedField>\n >\n >\n >,\n colName: string,\n ) => {\n if (builder instanceof EncryptedColumn) {\n const builtColumn = builder.build()\n\n // Hanlde building the ste_vec index for JSON columns so users don't have to pass the prefix.\n if (\n builtColumn.cast_as === 'json' &&\n builtColumn.indexes.ste_vec?.prefix === 'enabled'\n ) {\n builtColumns[colName] = {\n ...builtColumn,\n indexes: {\n ...builtColumn.indexes,\n ste_vec: {\n prefix: `${this.tableName}/${colName}`,\n },\n },\n }\n } else {\n builtColumns[colName] = builtColumn\n }\n } else {\n for (const [key, value] of Object.entries(builder)) {\n if (value instanceof EncryptedField) {\n builtColumns[value.getName()] = value.build()\n } else {\n processColumn(value, key)\n }\n }\n }\n }\n\n for (const [colName, builder] of Object.entries(this.columnBuilders)) {\n processColumn(builder, colName)\n }\n\n return {\n tableName: this.tableName,\n columns: builtColumns,\n }\n }\n}\n\n// ------------------------\n// Schema type inference helpers\n// ------------------------\n\n/**\n * Infer the plaintext (decrypted) type from a EncryptedTable schema.\n *\n * @example\n * ```typescript\n * const users = encryptedTable(\"users\", {\n * email: encryptedColumn(\"email\").equality(),\n * name: encryptedColumn(\"name\"),\n * })\n *\n * type UserPlaintext = InferPlaintext<typeof users>\n * // => { email: string; name: string }\n * ```\n */\nexport type InferPlaintext<T extends EncryptedTable<any>> =\n T extends EncryptedTable<infer C>\n ? {\n [K in keyof C as C[K] extends EncryptedColumn | EncryptedField\n ? K\n : never]: string\n }\n : never\n\n/**\n * Infer the encrypted type from a EncryptedTable schema.\n *\n * @example\n * ```typescript\n * const users = encryptedTable(\"users\", {\n * email: encryptedColumn(\"email\").equality(),\n * })\n *\n * type UserEncrypted = InferEncrypted<typeof users>\n * // => { email: Encrypted }\n * ```\n */\nexport type InferEncrypted<T extends EncryptedTable<any>> =\n T extends EncryptedTable<infer C>\n ? {\n [K in keyof C as C[K] extends EncryptedColumn | EncryptedField\n ? K\n : never]: Encrypted\n }\n : never\n\n// ------------------------\n// User facing functions\n// ------------------------\n\n/**\n * Define an encrypted table schema.\n *\n * Creates a `EncryptedTable` that maps a database table name to a set of encrypted\n * column definitions. Pass the resulting object to `Encryption({ schemas: [...] })`\n * when initializing the client.\n *\n * The returned object is also a proxy that exposes each column builder directly,\n * so you can reference columns as `users.email` when calling `encrypt`, `decrypt`,\n * and `encryptQuery`.\n *\n * @param tableName - The name of the database table this schema represents.\n * @param columns - An object whose keys are logical column names and values are\n * {@link EncryptedColumn} from {@link encryptedColumn}, or nested objects whose\n * leaves are {@link EncryptedField} from {@link encryptedField}.\n * @returns A `EncryptedTable<T> & T` that can be used as both a schema definition\n * and a column accessor.\n *\n * @example\n * ```typescript\n * import { encryptedTable, encryptedColumn } from \"@cipherstash/stack/schema\"\n *\n * const users = encryptedTable(\"users\", {\n * email: encryptedColumn(\"email\").equality().freeTextSearch(),\n * address: encryptedColumn(\"address\"),\n * })\n *\n * // Use as schema\n * const client = await Encryption({ schemas: [users] })\n *\n * // Use as column accessor\n * await client.encrypt(\"hello@example.com\", { column: users.email, table: users })\n * ```\n */\nexport function encryptedTable<T extends EncryptedTableColumn>(\n tableName: string,\n columns: T,\n): EncryptedTable<T> & T {\n const tableBuilder = new EncryptedTable(\n tableName,\n columns,\n ) as EncryptedTable<T> & T\n\n for (const [colName, colBuilder] of Object.entries(columns)) {\n ;(tableBuilder as EncryptedTableColumn)[colName] = colBuilder\n }\n\n return tableBuilder\n}\n\n/**\n * Define an encrypted column within a table schema.\n *\n * Creates a `EncryptedColumn` builder for the given column name. Chain index\n * methods (`.equality()`, `.freeTextSearch()`, `.orderAndRange()`,\n * `.searchableJson()`) and/or `.dataType()` to configure searchable encryption\n * and the plaintext data type.\n *\n * @param columnName - The name of the database column to encrypt.\n * @returns A new `EncryptedColumn` builder.\n *\n * @example\n * ```typescript\n * import { encryptedTable, encryptedColumn } from \"@cipherstash/stack/schema\"\n *\n * const users = encryptedTable(\"users\", {\n * email: encryptedColumn(\"email\").equality().freeTextSearch().orderAndRange(),\n * })\n * ```\n */\nexport function encryptedColumn(columnName: string) {\n return new EncryptedColumn(columnName)\n}\n\n/**\n * Define an encrypted field for use in nested or structured schemas.\n *\n * `encryptedField` is similar to {@link encryptedColumn} but creates an {@link EncryptedField}\n * for nested fields that are encrypted but not searchable (no indexes). Use `.dataType()`\n * to specify the plaintext type.\n *\n * @param valueName - The name of the value field.\n * @returns A new `EncryptedField` builder.\n *\n * @example\n * ```typescript\n * import { encryptedTable, encryptedField } from \"@cipherstash/stack/schema\"\n *\n * const orders = encryptedTable(\"orders\", {\n * details: {\n * amount: encryptedField(\"amount\").dataType(\"number\"),\n * currency: encryptedField(\"currency\"),\n * },\n * })\n * ```\n */\nexport function encryptedField(valueName: string) {\n return new EncryptedField(valueName)\n}\n\n// ------------------------\n// Internal functions\n// ------------------------\n\n/** @internal */\nexport function buildEncryptConfig(\n ...protectTables: Array<EncryptedTable<EncryptedTableColumn>>\n): EncryptConfig {\n const config: EncryptConfig = {\n v: 2,\n tables: {},\n }\n\n for (const tb of protectTables) {\n const tableDef = tb.build()\n config.tables[tableDef.tableName] = tableDef.columns\n }\n\n return config\n}\n"],"mappings":";AACA,SAAS,SAAS;AAuBX,IAAM,aAAa,EACvB,KAAK,CAAC,UAAU,WAAW,QAAQ,UAAU,UAAU,MAAM,CAAC,EAC9D,QAAQ,QAAQ;AAEnB,IAAM,oBAAoB,EAAE,OAAO;AAAA,EACjC,MAAM,EAAE,QAAQ,UAAU;AAC5B,CAAC;AAED,IAAM,kBAAkB,EACrB,MAAM;AAAA,EACL,EAAE,OAAO;AAAA,IACP,MAAM,EAAE,QAAQ,UAAU;AAAA,EAC5B,CAAC;AAAA,EACD,EAAE,OAAO;AAAA,IACP,MAAM,EAAE,QAAQ,OAAO;AAAA,IACvB,cAAc,EAAE,OAAO;AAAA,EACzB,CAAC;AACH,CAAC,EACA,QAAQ,EAAE,MAAM,SAAS,cAAc,EAAE,CAAC,EAC1C,SAAS;AAEZ,IAAM,qBAAqB,EAAE,OAAO,CAAC,CAAC;AAEtC,IAAM,wBAAwB,EAAE,OAAO;AAAA,EACrC,eAAe,EAAE,MAAM,iBAAiB,EAAE,QAAQ,CAAC,CAAC,EAAE,SAAS;AACjE,CAAC;AAED,IAAM,uBAAuB,EAAE,OAAO;AAAA,EACpC,WAAW;AAAA,EACX,eAAe,EAAE,MAAM,iBAAiB,EAAE,QAAQ,CAAC,CAAC,EAAE,SAAS;AAAA,EAC/D,GAAG,EAAE,OAAO,EAAE,QAAQ,CAAC,EAAE,SAAS;AAAA,EAClC,GAAG,EAAE,OAAO,EAAE,QAAQ,IAAI,EAAE,SAAS;AAAA,EACrC,kBAAkB,EAAE,QAAQ,EAAE,QAAQ,KAAK,EAAE,SAAS;AACxD,CAAC;AAED,IAAM,wBAAwB,EAAE,OAAO;AAAA,EACrC,QAAQ,EAAE,OAAO;AACnB,CAAC;AAED,IAAM,gBAAgB,EACnB,OAAO;AAAA,EACN,KAAK,mBAAmB,SAAS;AAAA,EACjC,QAAQ,sBAAsB,SAAS;AAAA,EACvC,OAAO,qBAAqB,SAAS;AAAA,EACrC,SAAS,sBAAsB,SAAS;AAC1C,CAAC,EACA,QAAQ,CAAC,CAAC;AAEb,IAAM,eAAe,EAClB,OAAO;AAAA,EACN,SAAS;AAAA,EACT,SAAS;AACX,CAAC,EACA,QAAQ,CAAC,CAAC;AAEb,IAAM,cAAc,EAAE,OAAO,YAAY,EAAE,QAAQ,CAAC,CAAC;AAErD,IAAM,eAAe,EAAE,OAAO,WAAW,EAAE,QAAQ,CAAC,CAAC;AAG9C,IAAM,sBAAsB,EAAE,OAAO;AAAA,EAC1C,GAAG,EAAE,OAAO;AAAA,EACZ,QAAQ;AACV,CAAC;AAkDM,IAAM,iBAAN,MAAqB;AAAA,EAClB;AAAA,EACA;AAAA,EAER,YAAY,WAAmB;AAC7B,SAAK,YAAY;AACjB,SAAK,cAAc;AAAA,EACrB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAmBA,SAAS,QAAgB;AACvB,SAAK,cAAc;AACnB,WAAO;AAAA,EACT;AAAA,EAEA,QAAQ;AACN,WAAO;AAAA,MACL,SAAS,KAAK;AAAA,MACd,SAAS,CAAC;AAAA,IACZ;AAAA,EACF;AAAA,EAEA,UAAU;AACR,WAAO,KAAK;AAAA,EACd;AACF;AAEO,IAAM,kBAAN,MAAsB;AAAA,EACnB;AAAA,EACA;AAAA,EACA,eAKJ,CAAC;AAAA,EAEL,YAAY,YAAoB;AAC9B,SAAK,aAAa;AAClB,SAAK,cAAc;AAAA,EACrB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAmBA,SAAS,QAAgB;AACvB,SAAK,cAAc;AACnB,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAmBA,gBAAgB;AACd,SAAK,aAAa,MAAM,CAAC;AACzB,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAqBA,SAAS,cAA8B;AACrC,SAAK,aAAa,SAAS;AAAA,MACzB,eAAe,gBAAgB,CAAC;AAAA,IAClC;AACA,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EA8BA,eAAe,MAAuB;AAEpC,SAAK,aAAa,QAAQ;AAAA,MACxB,WAAW,MAAM,aAAa,EAAE,MAAM,SAAS,cAAc,EAAE;AAAA,MAC/D,eAAe,MAAM,iBAAiB;AAAA,QACpC;AAAA,UACE,MAAM;AAAA,QACR;AAAA,MACF;AAAA,MACA,GAAG,MAAM,KAAK;AAAA,MACd,GAAG,MAAM,KAAK;AAAA,MACd,kBAAkB,MAAM,oBAAoB;AAAA,IAC9C;AACA,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAwBA,iBAAiB;AACf,SAAK,cAAc;AACnB,SAAK,aAAa,UAAU,EAAE,QAAQ,UAAU;AAChD,WAAO;AAAA,EACT;AAAA,EAEA,QAAQ;AACN,WAAO;AAAA,MACL,SAAS,KAAK;AAAA,MACd,SAAS,KAAK;AAAA,IAChB;AAAA,EACF;AAAA,EAEA,UAAU;AACR,WAAO,KAAK;AAAA,EACd;AACF;AAOO,IAAM,iBAAN,MAAqD;AAAA,EAI1D,YACkB,WACC,gBACjB;AAFgB;AACC;AAAA,EAChB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAqBH,QAAyB;AACvB,UAAM,eAA6C,CAAC;AAEpD,UAAM,gBAAgB,CACpB,SAcA,YACG;AACH,UAAI,mBAAmB,iBAAiB;AACtC,cAAM,cAAc,QAAQ,MAAM;AAGlC,YACE,YAAY,YAAY,UACxB,YAAY,QAAQ,SAAS,WAAW,WACxC;AACA,uBAAa,OAAO,IAAI;AAAA,YACtB,GAAG;AAAA,YACH,SAAS;AAAA,cACP,GAAG,YAAY;AAAA,cACf,SAAS;AAAA,gBACP,QAAQ,GAAG,KAAK,SAAS,IAAI,OAAO;AAAA,cACtC;AAAA,YACF;AAAA,UACF;AAAA,QACF,OAAO;AACL,uBAAa,OAAO,IAAI;AAAA,QAC1B;AAAA,MACF,OAAO;AACL,mBAAW,CAAC,KAAK,KAAK,KAAK,OAAO,QAAQ,OAAO,GAAG;AAClD,cAAI,iBAAiB,gBAAgB;AACnC,yBAAa,MAAM,QAAQ,CAAC,IAAI,MAAM,MAAM;AAAA,UAC9C,OAAO;AACL,0BAAc,OAAO,GAAG;AAAA,UAC1B;AAAA,QACF;AAAA,MACF;AAAA,IACF;AAEA,eAAW,CAAC,SAAS,OAAO,KAAK,OAAO,QAAQ,KAAK,cAAc,GAAG;AACpE,oBAAc,SAAS,OAAO;AAAA,IAChC;AAEA,WAAO;AAAA,MACL,WAAW,KAAK;AAAA,MAChB,SAAS;AAAA,IACX;AAAA,EACF;AACF;AAyFO,SAAS,eACd,WACA,SACuB;AACvB,QAAM,eAAe,IAAI;AAAA,IACvB;AAAA,IACA;AAAA,EACF;AAEA,aAAW,CAAC,SAAS,UAAU,KAAK,OAAO,QAAQ,OAAO,GAAG;AAC3D;AAAC,IAAC,aAAsC,OAAO,IAAI;AAAA,EACrD;AAEA,SAAO;AACT;AAsBO,SAAS,gBAAgB,YAAoB;AAClD,SAAO,IAAI,gBAAgB,UAAU;AACvC;AAwBO,SAAS,eAAe,WAAmB;AAChD,SAAO,IAAI,eAAe,SAAS;AACrC;AAOO,SAAS,sBACX,eACY;AACf,QAAM,SAAwB;AAAA,IAC5B,GAAG;AAAA,IACH,QAAQ,CAAC;AAAA,EACX;AAEA,aAAW,MAAM,eAAe;AAC9B,UAAM,WAAW,GAAG,MAAM;AAC1B,WAAO,OAAO,SAAS,SAAS,IAAI,SAAS;AAAA,EAC/C;AAEA,SAAO;AACT;","names":[]}
|
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
import {
|
|
1
|
+
import { l as EncryptedQueryResult, m as Client, S as ScalarQueryTerm, B as BulkDecryptedData, n as BulkDecryptPayload, D as Decrypted, o as BulkEncryptedData, p as BulkEncryptPayload, q as EncryptOptions, d as EncryptedColumn, h as EncryptedField, f as EncryptedTable, g as EncryptedTableColumn, j as Encrypted, r as EncryptQueryOptions, Q as QueryTypeName, s as EncryptedReturnType, t as EncryptConfig, K as KeysetIdentifier, i as EncryptedFromSchema } from './types-public-0CzBV45X.cjs';
|
|
2
2
|
import { a as EncryptionError, d as LockContext } from './index-9-Ya3fDK.cjs';
|
|
3
3
|
import { Result } from '@byteslice/result';
|
|
4
4
|
import { JsPlaintext } from '@cipherstash/protect-ffi';
|
|
@@ -99,8 +99,8 @@ declare class BulkEncryptOperation extends EncryptionOperation<BulkEncryptedData
|
|
|
99
99
|
getOperation(): {
|
|
100
100
|
client: Client;
|
|
101
101
|
plaintexts: BulkEncryptPayload;
|
|
102
|
-
column:
|
|
103
|
-
table:
|
|
102
|
+
column: EncryptedColumn | EncryptedField;
|
|
103
|
+
table: EncryptedTable<EncryptedTableColumn>;
|
|
104
104
|
};
|
|
105
105
|
}
|
|
106
106
|
declare class BulkEncryptOperationWithLockContext extends EncryptionOperation<BulkEncryptedData> {
|
|
@@ -114,13 +114,13 @@ declare class BulkEncryptModelsOperation<T extends Record<string, unknown>> exte
|
|
|
114
114
|
private client;
|
|
115
115
|
private models;
|
|
116
116
|
private table;
|
|
117
|
-
constructor(client: Client, models: Record<string, unknown>[], table:
|
|
117
|
+
constructor(client: Client, models: Record<string, unknown>[], table: EncryptedTable<EncryptedTableColumn>);
|
|
118
118
|
withLockContext(lockContext: LockContext): BulkEncryptModelsOperationWithLockContext<T>;
|
|
119
119
|
execute(): Promise<Result<T[], EncryptionError>>;
|
|
120
120
|
getOperation(): {
|
|
121
121
|
client: Client;
|
|
122
122
|
models: Record<string, unknown>[];
|
|
123
|
-
table:
|
|
123
|
+
table: EncryptedTable<EncryptedTableColumn>;
|
|
124
124
|
};
|
|
125
125
|
}
|
|
126
126
|
declare class BulkEncryptModelsOperationWithLockContext<T extends Record<string, unknown>> extends EncryptionOperation<T[]> {
|
|
@@ -182,8 +182,8 @@ declare class EncryptOperation extends EncryptionOperation<Encrypted> {
|
|
|
182
182
|
getOperation(): {
|
|
183
183
|
client: Client;
|
|
184
184
|
plaintext: JsPlaintext | null;
|
|
185
|
-
column:
|
|
186
|
-
table:
|
|
185
|
+
column: EncryptedColumn | EncryptedField;
|
|
186
|
+
table: EncryptedTable<EncryptedTableColumn>;
|
|
187
187
|
};
|
|
188
188
|
}
|
|
189
189
|
declare class EncryptOperationWithLockContext extends EncryptionOperation<Encrypted> {
|
|
@@ -197,13 +197,13 @@ declare class EncryptModelOperation<T extends Record<string, unknown>> extends E
|
|
|
197
197
|
private client;
|
|
198
198
|
private model;
|
|
199
199
|
private table;
|
|
200
|
-
constructor(client: Client, model: Record<string, unknown>, table:
|
|
200
|
+
constructor(client: Client, model: Record<string, unknown>, table: EncryptedTable<EncryptedTableColumn>);
|
|
201
201
|
withLockContext(lockContext: LockContext): EncryptModelOperationWithLockContext<T>;
|
|
202
202
|
execute(): Promise<Result<T, EncryptionError>>;
|
|
203
203
|
getOperation(): {
|
|
204
204
|
client: Client;
|
|
205
205
|
model: Record<string, unknown>;
|
|
206
|
-
table:
|
|
206
|
+
table: EncryptedTable<EncryptedTableColumn>;
|
|
207
207
|
};
|
|
208
208
|
}
|
|
209
209
|
declare class EncryptModelOperationWithLockContext<T extends Record<string, unknown>> extends EncryptionOperation<T> {
|
|
@@ -224,8 +224,8 @@ declare class EncryptQueryOperation extends EncryptionOperation<EncryptedQueryRe
|
|
|
224
224
|
withLockContext(lockContext: LockContext): EncryptQueryOperationWithLockContext;
|
|
225
225
|
execute(): Promise<Result<EncryptedQueryResult, EncryptionError>>;
|
|
226
226
|
getOperation(): {
|
|
227
|
-
column:
|
|
228
|
-
table:
|
|
227
|
+
column: EncryptedColumn;
|
|
228
|
+
table: EncryptedTable<EncryptedTableColumn>;
|
|
229
229
|
queryType?: QueryTypeName;
|
|
230
230
|
returnType?: EncryptedReturnType;
|
|
231
231
|
client: Client;
|
|
@@ -244,7 +244,7 @@ declare class EncryptQueryOperationWithLockContext extends EncryptionOperation<E
|
|
|
244
244
|
execute(): Promise<Result<EncryptedQueryResult, EncryptionError>>;
|
|
245
245
|
}
|
|
246
246
|
|
|
247
|
-
/** The EncryptionClient is the main entry point for interacting with the CipherStash
|
|
247
|
+
/** The EncryptionClient is the main entry point for interacting with the CipherStash Encryption library.
|
|
248
248
|
* It provides methods for encrypting and decrypting individual values, as well as models (objects) and bulk operations.
|
|
249
249
|
*
|
|
250
250
|
* The client must be initialized using the {@link Encryption} function before it can be used.
|
|
@@ -272,7 +272,7 @@ declare class EncryptionClient {
|
|
|
272
272
|
* Encrypt a value - returns a promise which resolves to an encrypted value.
|
|
273
273
|
*
|
|
274
274
|
* @param plaintext - The plaintext value to be encrypted. Can be null.
|
|
275
|
-
* @param opts - Options specifying the column and table for encryption.
|
|
275
|
+
* @param opts - Options specifying the column (or nested field) and table for encryption. See {@link EncryptOptions}.
|
|
276
276
|
* @returns An EncryptOperation that can be awaited or chained with additional methods.
|
|
277
277
|
*
|
|
278
278
|
* @example
|
|
@@ -335,8 +335,11 @@ declare class EncryptionClient {
|
|
|
335
335
|
* .withLockContext(lockContext)
|
|
336
336
|
* ```
|
|
337
337
|
*
|
|
338
|
+
* @see {@link EncryptOptions}
|
|
338
339
|
* @see {@link Result}
|
|
339
340
|
* @see {@link encryptedTable}
|
|
341
|
+
* @see {@link encryptedColumn}
|
|
342
|
+
* @see {@link encryptedField}
|
|
340
343
|
* @see {@link LockContext}
|
|
341
344
|
* @see {@link EncryptOperation}
|
|
342
345
|
*/
|
|
@@ -479,7 +482,7 @@ declare class EncryptionClient {
|
|
|
479
482
|
* }
|
|
480
483
|
* ```
|
|
481
484
|
*/
|
|
482
|
-
encryptModel<T extends Record<string, unknown>, S extends
|
|
485
|
+
encryptModel<T extends Record<string, unknown>, S extends EncryptedTableColumn = EncryptedTableColumn>(input: T, table: EncryptedTable<S>): EncryptModelOperation<EncryptedFromSchema<T, S>>;
|
|
483
486
|
/**
|
|
484
487
|
* Decrypt a model (object) whose fields contain encrypted values.
|
|
485
488
|
*
|
|
@@ -554,7 +557,7 @@ declare class EncryptionClient {
|
|
|
554
557
|
* }
|
|
555
558
|
* ```
|
|
556
559
|
*/
|
|
557
|
-
bulkEncryptModels<T extends Record<string, unknown>, S extends
|
|
560
|
+
bulkEncryptModels<T extends Record<string, unknown>, S extends EncryptedTableColumn = EncryptedTableColumn>(input: Array<T>, table: EncryptedTable<S>): BulkEncryptModelsOperation<EncryptedFromSchema<T, S>>;
|
|
558
561
|
/**
|
|
559
562
|
* Decrypt multiple models (objects) in a single bulk operation.
|
|
560
563
|
*
|
|
@@ -592,7 +595,7 @@ declare class EncryptionClient {
|
|
|
592
595
|
* your application data. Null plaintext values are preserved as null.
|
|
593
596
|
*
|
|
594
597
|
* @param plaintexts - An array of objects with `plaintext` (and optional `id`) fields.
|
|
595
|
-
* @param opts - Options specifying the target column and table
|
|
598
|
+
* @param opts - Options specifying the target column (or nested {@link encryptedField}) and table. See {@link EncryptOptions}.
|
|
596
599
|
* @returns A `BulkEncryptOperation` that can be awaited to get a `Result`
|
|
597
600
|
* containing an array of `{ id?, data: Encrypted }` objects, or an `EncryptionError`.
|
|
598
601
|
*
|
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
import {
|
|
1
|
+
import { l as EncryptedQueryResult, m as Client, S as ScalarQueryTerm, B as BulkDecryptedData, n as BulkDecryptPayload, D as Decrypted, o as BulkEncryptedData, p as BulkEncryptPayload, q as EncryptOptions, d as EncryptedColumn, h as EncryptedField, f as EncryptedTable, g as EncryptedTableColumn, j as Encrypted, r as EncryptQueryOptions, Q as QueryTypeName, s as EncryptedReturnType, t as EncryptConfig, K as KeysetIdentifier, i as EncryptedFromSchema } from './types-public-0CzBV45X.js';
|
|
2
2
|
import { a as EncryptionError, d as LockContext } from './index-9-Ya3fDK.js';
|
|
3
3
|
import { Result } from '@byteslice/result';
|
|
4
4
|
import { JsPlaintext } from '@cipherstash/protect-ffi';
|
|
@@ -99,8 +99,8 @@ declare class BulkEncryptOperation extends EncryptionOperation<BulkEncryptedData
|
|
|
99
99
|
getOperation(): {
|
|
100
100
|
client: Client;
|
|
101
101
|
plaintexts: BulkEncryptPayload;
|
|
102
|
-
column:
|
|
103
|
-
table:
|
|
102
|
+
column: EncryptedColumn | EncryptedField;
|
|
103
|
+
table: EncryptedTable<EncryptedTableColumn>;
|
|
104
104
|
};
|
|
105
105
|
}
|
|
106
106
|
declare class BulkEncryptOperationWithLockContext extends EncryptionOperation<BulkEncryptedData> {
|
|
@@ -114,13 +114,13 @@ declare class BulkEncryptModelsOperation<T extends Record<string, unknown>> exte
|
|
|
114
114
|
private client;
|
|
115
115
|
private models;
|
|
116
116
|
private table;
|
|
117
|
-
constructor(client: Client, models: Record<string, unknown>[], table:
|
|
117
|
+
constructor(client: Client, models: Record<string, unknown>[], table: EncryptedTable<EncryptedTableColumn>);
|
|
118
118
|
withLockContext(lockContext: LockContext): BulkEncryptModelsOperationWithLockContext<T>;
|
|
119
119
|
execute(): Promise<Result<T[], EncryptionError>>;
|
|
120
120
|
getOperation(): {
|
|
121
121
|
client: Client;
|
|
122
122
|
models: Record<string, unknown>[];
|
|
123
|
-
table:
|
|
123
|
+
table: EncryptedTable<EncryptedTableColumn>;
|
|
124
124
|
};
|
|
125
125
|
}
|
|
126
126
|
declare class BulkEncryptModelsOperationWithLockContext<T extends Record<string, unknown>> extends EncryptionOperation<T[]> {
|
|
@@ -182,8 +182,8 @@ declare class EncryptOperation extends EncryptionOperation<Encrypted> {
|
|
|
182
182
|
getOperation(): {
|
|
183
183
|
client: Client;
|
|
184
184
|
plaintext: JsPlaintext | null;
|
|
185
|
-
column:
|
|
186
|
-
table:
|
|
185
|
+
column: EncryptedColumn | EncryptedField;
|
|
186
|
+
table: EncryptedTable<EncryptedTableColumn>;
|
|
187
187
|
};
|
|
188
188
|
}
|
|
189
189
|
declare class EncryptOperationWithLockContext extends EncryptionOperation<Encrypted> {
|
|
@@ -197,13 +197,13 @@ declare class EncryptModelOperation<T extends Record<string, unknown>> extends E
|
|
|
197
197
|
private client;
|
|
198
198
|
private model;
|
|
199
199
|
private table;
|
|
200
|
-
constructor(client: Client, model: Record<string, unknown>, table:
|
|
200
|
+
constructor(client: Client, model: Record<string, unknown>, table: EncryptedTable<EncryptedTableColumn>);
|
|
201
201
|
withLockContext(lockContext: LockContext): EncryptModelOperationWithLockContext<T>;
|
|
202
202
|
execute(): Promise<Result<T, EncryptionError>>;
|
|
203
203
|
getOperation(): {
|
|
204
204
|
client: Client;
|
|
205
205
|
model: Record<string, unknown>;
|
|
206
|
-
table:
|
|
206
|
+
table: EncryptedTable<EncryptedTableColumn>;
|
|
207
207
|
};
|
|
208
208
|
}
|
|
209
209
|
declare class EncryptModelOperationWithLockContext<T extends Record<string, unknown>> extends EncryptionOperation<T> {
|
|
@@ -224,8 +224,8 @@ declare class EncryptQueryOperation extends EncryptionOperation<EncryptedQueryRe
|
|
|
224
224
|
withLockContext(lockContext: LockContext): EncryptQueryOperationWithLockContext;
|
|
225
225
|
execute(): Promise<Result<EncryptedQueryResult, EncryptionError>>;
|
|
226
226
|
getOperation(): {
|
|
227
|
-
column:
|
|
228
|
-
table:
|
|
227
|
+
column: EncryptedColumn;
|
|
228
|
+
table: EncryptedTable<EncryptedTableColumn>;
|
|
229
229
|
queryType?: QueryTypeName;
|
|
230
230
|
returnType?: EncryptedReturnType;
|
|
231
231
|
client: Client;
|
|
@@ -244,7 +244,7 @@ declare class EncryptQueryOperationWithLockContext extends EncryptionOperation<E
|
|
|
244
244
|
execute(): Promise<Result<EncryptedQueryResult, EncryptionError>>;
|
|
245
245
|
}
|
|
246
246
|
|
|
247
|
-
/** The EncryptionClient is the main entry point for interacting with the CipherStash
|
|
247
|
+
/** The EncryptionClient is the main entry point for interacting with the CipherStash Encryption library.
|
|
248
248
|
* It provides methods for encrypting and decrypting individual values, as well as models (objects) and bulk operations.
|
|
249
249
|
*
|
|
250
250
|
* The client must be initialized using the {@link Encryption} function before it can be used.
|
|
@@ -272,7 +272,7 @@ declare class EncryptionClient {
|
|
|
272
272
|
* Encrypt a value - returns a promise which resolves to an encrypted value.
|
|
273
273
|
*
|
|
274
274
|
* @param plaintext - The plaintext value to be encrypted. Can be null.
|
|
275
|
-
* @param opts - Options specifying the column and table for encryption.
|
|
275
|
+
* @param opts - Options specifying the column (or nested field) and table for encryption. See {@link EncryptOptions}.
|
|
276
276
|
* @returns An EncryptOperation that can be awaited or chained with additional methods.
|
|
277
277
|
*
|
|
278
278
|
* @example
|
|
@@ -335,8 +335,11 @@ declare class EncryptionClient {
|
|
|
335
335
|
* .withLockContext(lockContext)
|
|
336
336
|
* ```
|
|
337
337
|
*
|
|
338
|
+
* @see {@link EncryptOptions}
|
|
338
339
|
* @see {@link Result}
|
|
339
340
|
* @see {@link encryptedTable}
|
|
341
|
+
* @see {@link encryptedColumn}
|
|
342
|
+
* @see {@link encryptedField}
|
|
340
343
|
* @see {@link LockContext}
|
|
341
344
|
* @see {@link EncryptOperation}
|
|
342
345
|
*/
|
|
@@ -479,7 +482,7 @@ declare class EncryptionClient {
|
|
|
479
482
|
* }
|
|
480
483
|
* ```
|
|
481
484
|
*/
|
|
482
|
-
encryptModel<T extends Record<string, unknown>, S extends
|
|
485
|
+
encryptModel<T extends Record<string, unknown>, S extends EncryptedTableColumn = EncryptedTableColumn>(input: T, table: EncryptedTable<S>): EncryptModelOperation<EncryptedFromSchema<T, S>>;
|
|
483
486
|
/**
|
|
484
487
|
* Decrypt a model (object) whose fields contain encrypted values.
|
|
485
488
|
*
|
|
@@ -554,7 +557,7 @@ declare class EncryptionClient {
|
|
|
554
557
|
* }
|
|
555
558
|
* ```
|
|
556
559
|
*/
|
|
557
|
-
bulkEncryptModels<T extends Record<string, unknown>, S extends
|
|
560
|
+
bulkEncryptModels<T extends Record<string, unknown>, S extends EncryptedTableColumn = EncryptedTableColumn>(input: Array<T>, table: EncryptedTable<S>): BulkEncryptModelsOperation<EncryptedFromSchema<T, S>>;
|
|
558
561
|
/**
|
|
559
562
|
* Decrypt multiple models (objects) in a single bulk operation.
|
|
560
563
|
*
|
|
@@ -592,7 +595,7 @@ declare class EncryptionClient {
|
|
|
592
595
|
* your application data. Null plaintext values are preserved as null.
|
|
593
596
|
*
|
|
594
597
|
* @param plaintexts - An array of objects with `plaintext` (and optional `id`) fields.
|
|
595
|
-
* @param opts - Options specifying the target column and table
|
|
598
|
+
* @param opts - Options specifying the target column (or nested {@link encryptedField}) and table. See {@link EncryptOptions}.
|
|
596
599
|
* @returns A `BulkEncryptOperation` that can be awaited to get a `Result`
|
|
597
600
|
* containing an array of `{ id?, data: Encrypted }` objects, or an `EncryptionError`.
|
|
598
601
|
*
|
package/dist/client.cjs
CHANGED
|
@@ -21,8 +21,8 @@ var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: tru
|
|
|
21
21
|
var client_exports = {};
|
|
22
22
|
__export(client_exports, {
|
|
23
23
|
encryptedColumn: () => encryptedColumn,
|
|
24
|
-
|
|
25
|
-
|
|
24
|
+
encryptedField: () => encryptedField,
|
|
25
|
+
encryptedTable: () => encryptedTable
|
|
26
26
|
});
|
|
27
27
|
module.exports = __toCommonJS(client_exports);
|
|
28
28
|
|
|
@@ -71,7 +71,7 @@ var encryptConfigSchema = import_zod.z.object({
|
|
|
71
71
|
v: import_zod.z.number(),
|
|
72
72
|
tables: tablesSchema
|
|
73
73
|
});
|
|
74
|
-
var
|
|
74
|
+
var EncryptedField = class {
|
|
75
75
|
valueName;
|
|
76
76
|
castAsValue;
|
|
77
77
|
constructor(valueName) {
|
|
@@ -79,20 +79,20 @@ var ProtectValue = class {
|
|
|
79
79
|
this.castAsValue = "string";
|
|
80
80
|
}
|
|
81
81
|
/**
|
|
82
|
-
* Set or override the plaintext data type for this
|
|
82
|
+
* Set or override the plaintext data type for this field.
|
|
83
83
|
*
|
|
84
84
|
* By default all values are treated as `'string'`. Use this method to specify
|
|
85
85
|
* a different type so the encryption layer knows how to encode the plaintext
|
|
86
86
|
* before encrypting.
|
|
87
87
|
*
|
|
88
88
|
* @param castAs - The plaintext data type: `'string'`, `'number'`, `'boolean'`, `'date'`, `'bigint'`, or `'json'`.
|
|
89
|
-
* @returns This `
|
|
89
|
+
* @returns This `EncryptedField` instance for method chaining.
|
|
90
90
|
*
|
|
91
91
|
* @example
|
|
92
92
|
* ```typescript
|
|
93
|
-
* import {
|
|
93
|
+
* import { encryptedField } from "@cipherstash/stack/schema"
|
|
94
94
|
*
|
|
95
|
-
* const age =
|
|
95
|
+
* const age = encryptedField("age").dataType("number")
|
|
96
96
|
* ```
|
|
97
97
|
*/
|
|
98
98
|
dataType(castAs) {
|
|
@@ -109,7 +109,7 @@ var ProtectValue = class {
|
|
|
109
109
|
return this.valueName;
|
|
110
110
|
}
|
|
111
111
|
};
|
|
112
|
-
var
|
|
112
|
+
var EncryptedColumn = class {
|
|
113
113
|
columnName;
|
|
114
114
|
castAsValue;
|
|
115
115
|
indexesValue = {};
|
|
@@ -125,7 +125,7 @@ var ProtectColumn = class {
|
|
|
125
125
|
* before encrypting.
|
|
126
126
|
*
|
|
127
127
|
* @param castAs - The plaintext data type: `'string'`, `'number'`, `'boolean'`, `'date'`, `'bigint'`, or `'json'`.
|
|
128
|
-
* @returns This `
|
|
128
|
+
* @returns This `EncryptedColumn` instance for method chaining.
|
|
129
129
|
*
|
|
130
130
|
* @example
|
|
131
131
|
* ```typescript
|
|
@@ -144,7 +144,7 @@ var ProtectColumn = class {
|
|
|
144
144
|
* ORE allows sorting, comparison, and range queries on encrypted data.
|
|
145
145
|
* Use with `encryptQuery` and `queryType: 'orderAndRange'`.
|
|
146
146
|
*
|
|
147
|
-
* @returns This `
|
|
147
|
+
* @returns This `EncryptedColumn` instance for method chaining.
|
|
148
148
|
*
|
|
149
149
|
* @example
|
|
150
150
|
* ```typescript
|
|
@@ -167,7 +167,7 @@ var ProtectColumn = class {
|
|
|
167
167
|
*
|
|
168
168
|
* @param tokenFilters - Optional array of token filters (e.g. `[{ kind: 'downcase' }]`).
|
|
169
169
|
* When omitted, no token filters are applied.
|
|
170
|
-
* @returns This `
|
|
170
|
+
* @returns This `EncryptedColumn` instance for method chaining.
|
|
171
171
|
*
|
|
172
172
|
* @example
|
|
173
173
|
* ```typescript
|
|
@@ -192,7 +192,7 @@ var ProtectColumn = class {
|
|
|
192
192
|
*
|
|
193
193
|
* @param opts - Optional match index configuration. Defaults to 3-character ngram
|
|
194
194
|
* tokenization with a downcase filter, `k=6`, `m=2048`, and `include_original=true`.
|
|
195
|
-
* @returns This `
|
|
195
|
+
* @returns This `EncryptedColumn` instance for method chaining.
|
|
196
196
|
*
|
|
197
197
|
* @example
|
|
198
198
|
* ```typescript
|
|
@@ -237,7 +237,7 @@ var ProtectColumn = class {
|
|
|
237
237
|
* the plaintext type: strings become selector queries, objects/arrays become
|
|
238
238
|
* containment queries.
|
|
239
239
|
*
|
|
240
|
-
* @returns This `
|
|
240
|
+
* @returns This `EncryptedColumn` instance for method chaining.
|
|
241
241
|
*
|
|
242
242
|
* @example
|
|
243
243
|
* ```typescript
|
|
@@ -263,7 +263,7 @@ var ProtectColumn = class {
|
|
|
263
263
|
return this.columnName;
|
|
264
264
|
}
|
|
265
265
|
};
|
|
266
|
-
var
|
|
266
|
+
var EncryptedTable = class {
|
|
267
267
|
constructor(tableName, columnBuilders) {
|
|
268
268
|
this.tableName = tableName;
|
|
269
269
|
this.columnBuilders = columnBuilders;
|
|
@@ -290,7 +290,7 @@ var ProtectTable = class {
|
|
|
290
290
|
build() {
|
|
291
291
|
const builtColumns = {};
|
|
292
292
|
const processColumn = (builder, colName) => {
|
|
293
|
-
if (builder instanceof
|
|
293
|
+
if (builder instanceof EncryptedColumn) {
|
|
294
294
|
const builtColumn = builder.build();
|
|
295
295
|
if (builtColumn.cast_as === "json" && builtColumn.indexes.ste_vec?.prefix === "enabled") {
|
|
296
296
|
builtColumns[colName] = {
|
|
@@ -307,7 +307,7 @@ var ProtectTable = class {
|
|
|
307
307
|
}
|
|
308
308
|
} else {
|
|
309
309
|
for (const [key, value] of Object.entries(builder)) {
|
|
310
|
-
if (value instanceof
|
|
310
|
+
if (value instanceof EncryptedField) {
|
|
311
311
|
builtColumns[value.getName()] = value.build();
|
|
312
312
|
} else {
|
|
313
313
|
processColumn(value, key);
|
|
@@ -325,7 +325,10 @@ var ProtectTable = class {
|
|
|
325
325
|
}
|
|
326
326
|
};
|
|
327
327
|
function encryptedTable(tableName, columns) {
|
|
328
|
-
const tableBuilder = new
|
|
328
|
+
const tableBuilder = new EncryptedTable(
|
|
329
|
+
tableName,
|
|
330
|
+
columns
|
|
331
|
+
);
|
|
329
332
|
for (const [colName, colBuilder] of Object.entries(columns)) {
|
|
330
333
|
;
|
|
331
334
|
tableBuilder[colName] = colBuilder;
|
|
@@ -333,15 +336,15 @@ function encryptedTable(tableName, columns) {
|
|
|
333
336
|
return tableBuilder;
|
|
334
337
|
}
|
|
335
338
|
function encryptedColumn(columnName) {
|
|
336
|
-
return new
|
|
339
|
+
return new EncryptedColumn(columnName);
|
|
337
340
|
}
|
|
338
|
-
function
|
|
339
|
-
return new
|
|
341
|
+
function encryptedField(valueName) {
|
|
342
|
+
return new EncryptedField(valueName);
|
|
340
343
|
}
|
|
341
344
|
// Annotate the CommonJS export names for ESM import in node:
|
|
342
345
|
0 && (module.exports = {
|
|
343
346
|
encryptedColumn,
|
|
344
|
-
|
|
345
|
-
|
|
347
|
+
encryptedField,
|
|
348
|
+
encryptedTable
|
|
346
349
|
});
|
|
347
350
|
//# sourceMappingURL=client.cjs.map
|