@forklaunch/core 1.2.8 → 1.3.0

package/lib/persistence/index.d.mts

@@ -1,4 +1,4 @@
-import { PropertyBuilders, EntityMetadataWithProperties, EntitySchemaWithMeta, InferEntityFromProperties, EventSubscriber, EventArgs, FilterDef, EntityManager, MikroORM } from '@mikro-orm/core';
+import { PropertyBuilders, EntityMetadataWithProperties, EntitySchemaWithMeta, InferEntityFromProperties, Type, Platform, TransformContext, FilterDef, EntityManager, EventSubscriber, MikroORM } from '@mikro-orm/core';
 
 declare const ComplianceLevel: {
     readonly pii: "pii";
@@ -101,6 +101,19 @@ declare function defineComplianceEntity<const TName extends string, const TTable
     userIdField?: string;
 }): EntitySchemaWithMeta<TName, TTableName, InferEntityFromProperties<TProperties, TPK, TBase, TRepository, TForceObject>, TBase, TProperties>;
 
+/**
+ * Wraps an EntityManager to block `nativeInsert`, `nativeUpdate`, and
+ * `nativeDelete` on entities that have PII, PHI, or PCI compliance fields.
+ *
+ * This prevents bypassing the EncryptedType's encryption by using raw
+ * queries. Call this in the tenant context middleware when creating the
+ * request-scoped EM.
+ *
+ * @returns A Proxy-wrapped EntityManager that throws on native query
+ *          operations targeting compliance entities.
+ */
+declare function wrapEmWithNativeQueryBlocking<T extends object>(em: T): T;
+
 declare class MissingEncryptionKeyError extends Error {
     readonly name: "MissingEncryptionKeyError";
     constructor(message?: string);
@@ -122,60 +135,83 @@ declare class FieldEncryptor {
      */
     deriveKey(tenantId: string): Buffer;
     /**
-     * Encrypt a plaintext string for a specific tenant.
+     * Derive a deterministic IV from the key and plaintext using HMAC-SHA256,
+     * truncated to IV_BYTES. Same plaintext + same key → same IV → same
+     * ciphertext. This enables WHERE clause matching on encrypted columns
+     * while maintaining AES-256-GCM authenticated encryption.
+     *
+     * Meets SOC 2, HIPAA, PCI DSS, GDPR requirements for encryption at rest.
+     */
+    private deriveDeterministicIv;
+    /**
+     * Encrypt a plaintext string.
      *
-     * @returns Format: `v1:{base64(iv)}:{base64(authTag)}:{base64(ciphertext)}`
+     * Uses deterministic encryption (HMAC-derived IV) so the same plaintext
+     * always produces the same ciphertext. This enables database WHERE clause
+     * matching and UNIQUE constraints on encrypted columns.
+     *
+     * @returns Format: `v2:{base64(iv)}:{base64(authTag)}:{base64(ciphertext)}`
      */
     encrypt(plaintext: string | null): string | null;
     encrypt(plaintext: string | null, tenantId: string): string | null;
     /**
      * Decrypt a ciphertext string produced by {@link encrypt}.
+     * Supports both v1 (random IV) and v2 (deterministic IV) formats.
      */
     decrypt(ciphertext: string | null): string | null;
     decrypt(ciphertext: string | null, tenantId: string): string | null;
 }
 
 /**
- * MikroORM EventSubscriber that enforces field-level encryption for
- * compliance-classified fields (PHI and PCI).
+ * Register the FieldEncryptor instance for use by EncryptedType.
+ * Call this once at application bootstrap (e.g., in mikro-orm.config.ts).
+ */
+declare function registerEncryptor(encryptor: FieldEncryptor): void;
+/**
+ * Run a callback with the given tenant ID available to EncryptedType
+ * for per-tenant key derivation.
+ */
+declare function withEncryptionContext<T>(tenantId: string, fn: () => T): T;
+/**
+ * Set the encryption tenant ID for the current async context.
+ * Called automatically by the tenant context middleware — users
+ * don't need to call this directly.
+ */
+declare function setEncryptionTenantId(tenantId: string): void;
+/**
+ * Get the current tenant ID. Returns empty string when no context is set
+ * (startup, seeders, better-auth, background jobs).
+ */
+declare function getCurrentTenantId(): string;
+/**
+ * MikroORM custom Type that transparently encrypts/decrypts values.
+ *
+ * Works with any JS type (string, number, boolean, object/JSON).
+ * Non-string values are JSON-serialized before encryption and
+ * JSON-parsed after decryption.
  *
- * - **onBeforeCreate / onBeforeUpdate**: Encrypts PHI/PCI fields before
- *   database persistence. Throws `EncryptionRequiredError` if the encryption
- *   key is unavailable.
- * - **onLoad**: Decrypts PHI/PCI fields after loading from the database.
- *   Pre-migration plaintext (no `v1:` prefix) is returned as-is with a
- *   console warning to support rolling deployments.
+ * DB column is always `text` — the encrypted ciphertext is a string
+ * regardless of the original JS type.
  *
- * The tenant ID for key derivation is read from the EntityManager's filter
- * parameters (set by the tenant context middleware).
+ * Operates at the data conversion layer — before the identity map,
+ * during hydration, and during persistence. Entities always hold
+ * their original JS values (plaintext).
  */
-declare class ComplianceEventSubscriber implements EventSubscriber {
-    private readonly encryptor;
-    constructor(encryptor: FieldEncryptor);
-    beforeCreate(args: EventArgs<unknown>): Promise<void>;
-    beforeUpdate(args: EventArgs<unknown>): Promise<void>;
-    onLoad(args: EventArgs<unknown>): Promise<void>;
-    private encryptFields;
-    private decryptFields;
+declare class EncryptedType extends Type<unknown, string | null> {
+    private readonly originalType;
     /**
-     * Read the tenant ID from the EntityManager's filter parameters.
-     * Returns undefined when no tenant context is set (startup, seeders,
-     * better-auth). Callers skip encryption/decryption in that case.
+     * @param originalType - The original JS type hint ('string' | 'json' | 'number' | 'boolean').
+     *                       Used to determine serialization strategy.
      */
-    private getTenantId;
+    constructor(originalType?: string);
+    convertToDatabaseValue(value: unknown, _platform: Platform, _context?: TransformContext): string | null;
+    convertToJSValue(value: string | null, _platform: Platform): unknown;
+    getColumnType(): string;
+    get runtimeType(): string;
+    ensureComparable(): boolean;
+    private serializeValue;
+    private deserializeValue;
 }
-/**
- * Wraps an EntityManager to block `nativeInsert`, `nativeUpdate`, and
- * `nativeDelete` on entities that have PHI or PCI compliance fields.
- *
- * This prevents bypassing the ComplianceEventSubscriber's encryption
- * by using raw queries. Call this in the tenant context middleware when
- * creating the request-scoped EM.
- *
- * @returns A Proxy-wrapped EntityManager that throws on native query
- *          operations targeting compliance entities.
- */
-declare function wrapEmWithNativeQueryBlocking<T extends object>(em: T): T;
 
 /**
  * The name used to register the tenant isolation filter.
@@ -276,4 +312,4 @@ declare class RlsEventSubscriber implements EventSubscriber {
  */
 declare function setupRls(orm: MikroORM, config?: RlsConfig): void;
 
-export { ComplianceEventSubscriber, ComplianceLevel, ComplianceLevel as ComplianceLevelType, DecryptionError, EncryptionRequiredError, FieldEncryptor, MissingEncryptionKeyError, type ParsedDuration, RetentionAction, RetentionAction as RetentionActionType, RetentionDuration, type RetentionPolicy, type RlsConfig, RlsEventSubscriber, TENANT_FILTER_NAME, createTenantFilterDef, defineComplianceEntity, entityHasEncryptedFields, fp, getAllRetentionPolicies, getAllUserIdFields, getComplianceMetadata, getEntityComplianceFields, getEntityRetention, getEntityUserIdField, getSuperAdminContext, parseDuration, setupRls, setupTenantFilter, subtractDuration, wrapEmWithNativeQueryBlocking };
+export { ComplianceLevel, ComplianceLevel as ComplianceLevelType, DecryptionError, EncryptedType, EncryptionRequiredError, FieldEncryptor, MissingEncryptionKeyError, type ParsedDuration, RetentionAction, RetentionAction as RetentionActionType, RetentionDuration, type RetentionPolicy, type RlsConfig, RlsEventSubscriber, TENANT_FILTER_NAME, createTenantFilterDef, defineComplianceEntity, entityHasEncryptedFields, fp, getAllRetentionPolicies, getAllUserIdFields, getComplianceMetadata, getCurrentTenantId, getEntityComplianceFields, getEntityRetention, getEntityUserIdField, getSuperAdminContext, parseDuration, registerEncryptor, setEncryptionTenantId, setupRls, setupTenantFilter, subtractDuration, withEncryptionContext, wrapEmWithNativeQueryBlocking };

package/lib/persistence/index.d.ts

@@ -1,4 +1,4 @@
-import { PropertyBuilders, EntityMetadataWithProperties, EntitySchemaWithMeta, InferEntityFromProperties, EventSubscriber, EventArgs, FilterDef, EntityManager, MikroORM } from '@mikro-orm/core';
+import { PropertyBuilders, EntityMetadataWithProperties, EntitySchemaWithMeta, InferEntityFromProperties, Type, Platform, TransformContext, FilterDef, EntityManager, EventSubscriber, MikroORM } from '@mikro-orm/core';
 
 declare const ComplianceLevel: {
     readonly pii: "pii";
@@ -101,6 +101,19 @@ declare function defineComplianceEntity<const TName extends string, const TTable
     userIdField?: string;
 }): EntitySchemaWithMeta<TName, TTableName, InferEntityFromProperties<TProperties, TPK, TBase, TRepository, TForceObject>, TBase, TProperties>;
 
+/**
+ * Wraps an EntityManager to block `nativeInsert`, `nativeUpdate`, and
+ * `nativeDelete` on entities that have PII, PHI, or PCI compliance fields.
+ *
+ * This prevents bypassing the EncryptedType's encryption by using raw
+ * queries. Call this in the tenant context middleware when creating the
+ * request-scoped EM.
+ *
+ * @returns A Proxy-wrapped EntityManager that throws on native query
+ *          operations targeting compliance entities.
+ */
+declare function wrapEmWithNativeQueryBlocking<T extends object>(em: T): T;
+
 declare class MissingEncryptionKeyError extends Error {
     readonly name: "MissingEncryptionKeyError";
     constructor(message?: string);
@@ -122,60 +135,83 @@ declare class FieldEncryptor {
      */
     deriveKey(tenantId: string): Buffer;
     /**
-     * Encrypt a plaintext string for a specific tenant.
+     * Derive a deterministic IV from the key and plaintext using HMAC-SHA256,
+     * truncated to IV_BYTES. Same plaintext + same key → same IV → same
+     * ciphertext. This enables WHERE clause matching on encrypted columns
+     * while maintaining AES-256-GCM authenticated encryption.
+     *
+     * Meets SOC 2, HIPAA, PCI DSS, GDPR requirements for encryption at rest.
+     */
+    private deriveDeterministicIv;
+    /**
+     * Encrypt a plaintext string.
      *
-     * @returns Format: `v1:{base64(iv)}:{base64(authTag)}:{base64(ciphertext)}`
+     * Uses deterministic encryption (HMAC-derived IV) so the same plaintext
+     * always produces the same ciphertext. This enables database WHERE clause
+     * matching and UNIQUE constraints on encrypted columns.
+     *
+     * @returns Format: `v2:{base64(iv)}:{base64(authTag)}:{base64(ciphertext)}`
      */
     encrypt(plaintext: string | null): string | null;
     encrypt(plaintext: string | null, tenantId: string): string | null;
     /**
      * Decrypt a ciphertext string produced by {@link encrypt}.
+     * Supports both v1 (random IV) and v2 (deterministic IV) formats.
      */
     decrypt(ciphertext: string | null): string | null;
     decrypt(ciphertext: string | null, tenantId: string): string | null;
 }
 
 /**
- * MikroORM EventSubscriber that enforces field-level encryption for
- * compliance-classified fields (PHI and PCI).
+ * Register the FieldEncryptor instance for use by EncryptedType.
+ * Call this once at application bootstrap (e.g., in mikro-orm.config.ts).
+ */
+declare function registerEncryptor(encryptor: FieldEncryptor): void;
+/**
+ * Run a callback with the given tenant ID available to EncryptedType
+ * for per-tenant key derivation.
+ */
+declare function withEncryptionContext<T>(tenantId: string, fn: () => T): T;
+/**
+ * Set the encryption tenant ID for the current async context.
+ * Called automatically by the tenant context middleware — users
+ * don't need to call this directly.
+ */
+declare function setEncryptionTenantId(tenantId: string): void;
+/**
+ * Get the current tenant ID. Returns empty string when no context is set
+ * (startup, seeders, better-auth, background jobs).
+ */
+declare function getCurrentTenantId(): string;
+/**
+ * MikroORM custom Type that transparently encrypts/decrypts values.
+ *
+ * Works with any JS type (string, number, boolean, object/JSON).
+ * Non-string values are JSON-serialized before encryption and
+ * JSON-parsed after decryption.
  *
- * - **onBeforeCreate / onBeforeUpdate**: Encrypts PHI/PCI fields before
- *   database persistence. Throws `EncryptionRequiredError` if the encryption
- *   key is unavailable.
- * - **onLoad**: Decrypts PHI/PCI fields after loading from the database.
- *   Pre-migration plaintext (no `v1:` prefix) is returned as-is with a
- *   console warning to support rolling deployments.
+ * DB column is always `text` — the encrypted ciphertext is a string
+ * regardless of the original JS type.
  *
- * The tenant ID for key derivation is read from the EntityManager's filter
- * parameters (set by the tenant context middleware).
+ * Operates at the data conversion layer — before the identity map,
+ * during hydration, and during persistence. Entities always hold
+ * their original JS values (plaintext).
  */
-declare class ComplianceEventSubscriber implements EventSubscriber {
-    private readonly encryptor;
-    constructor(encryptor: FieldEncryptor);
-    beforeCreate(args: EventArgs<unknown>): Promise<void>;
-    beforeUpdate(args: EventArgs<unknown>): Promise<void>;
-    onLoad(args: EventArgs<unknown>): Promise<void>;
-    private encryptFields;
-    private decryptFields;
+declare class EncryptedType extends Type<unknown, string | null> {
+    private readonly originalType;
     /**
-     * Read the tenant ID from the EntityManager's filter parameters.
-     * Returns undefined when no tenant context is set (startup, seeders,
-     * better-auth). Callers skip encryption/decryption in that case.
+     * @param originalType - The original JS type hint ('string' | 'json' | 'number' | 'boolean').
+     *                       Used to determine serialization strategy.
      */
-    private getTenantId;
+    constructor(originalType?: string);
+    convertToDatabaseValue(value: unknown, _platform: Platform, _context?: TransformContext): string | null;
+    convertToJSValue(value: string | null, _platform: Platform): unknown;
+    getColumnType(): string;
+    get runtimeType(): string;
+    ensureComparable(): boolean;
+    private serializeValue;
+    private deserializeValue;
 }
-/**
- * Wraps an EntityManager to block `nativeInsert`, `nativeUpdate`, and
- * `nativeDelete` on entities that have PHI or PCI compliance fields.
- *
- * This prevents bypassing the ComplianceEventSubscriber's encryption
- * by using raw queries. Call this in the tenant context middleware when
- * creating the request-scoped EM.
- *
- * @returns A Proxy-wrapped EntityManager that throws on native query
- *          operations targeting compliance entities.
- */
-declare function wrapEmWithNativeQueryBlocking<T extends object>(em: T): T;
 
 /**
  * The name used to register the tenant isolation filter.
@@ -276,4 +312,4 @@ declare class RlsEventSubscriber implements EventSubscriber {
  */
 declare function setupRls(orm: MikroORM, config?: RlsConfig): void;
 
-export { ComplianceEventSubscriber, ComplianceLevel, ComplianceLevel as ComplianceLevelType, DecryptionError, EncryptionRequiredError, FieldEncryptor, MissingEncryptionKeyError, type ParsedDuration, RetentionAction, RetentionAction as RetentionActionType, RetentionDuration, type RetentionPolicy, type RlsConfig, RlsEventSubscriber, TENANT_FILTER_NAME, createTenantFilterDef, defineComplianceEntity, entityHasEncryptedFields, fp, getAllRetentionPolicies, getAllUserIdFields, getComplianceMetadata, getEntityComplianceFields, getEntityRetention, getEntityUserIdField, getSuperAdminContext, parseDuration, setupRls, setupTenantFilter, subtractDuration, wrapEmWithNativeQueryBlocking };
+export { ComplianceLevel, ComplianceLevel as ComplianceLevelType, DecryptionError, EncryptedType, EncryptionRequiredError, FieldEncryptor, MissingEncryptionKeyError, type ParsedDuration, RetentionAction, RetentionAction as RetentionActionType, RetentionDuration, type RetentionPolicy, type RlsConfig, RlsEventSubscriber, TENANT_FILTER_NAME, createTenantFilterDef, defineComplianceEntity, entityHasEncryptedFields, fp, getAllRetentionPolicies, getAllUserIdFields, getComplianceMetadata, getCurrentTenantId, getEntityComplianceFields, getEntityRetention, getEntityUserIdField, getSuperAdminContext, parseDuration, registerEncryptor, setEncryptionTenantId, setupRls, setupTenantFilter, subtractDuration, withEncryptionContext, wrapEmWithNativeQueryBlocking };

package/lib/persistence/index.js

@@ -30,9 +30,9 @@ var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: tru
 // src/persistence/index.ts
 var persistence_exports = {};
 __export(persistence_exports, {
-  ComplianceEventSubscriber: () => ComplianceEventSubscriber,
   ComplianceLevel: () => ComplianceLevel,
   DecryptionError: () => DecryptionError,
+  EncryptedType: () => EncryptedType,
   EncryptionRequiredError: () => EncryptionRequiredError,
   FieldEncryptor: () => FieldEncryptor,
   MissingEncryptionKeyError: () => MissingEncryptionKeyError,
@@ -47,14 +47,18 @@ __export(persistence_exports, {
   getAllRetentionPolicies: () => getAllRetentionPolicies,
   getAllUserIdFields: () => getAllUserIdFields,
   getComplianceMetadata: () => getComplianceMetadata,
+  getCurrentTenantId: () => getCurrentTenantId,
   getEntityComplianceFields: () => getEntityComplianceFields,
   getEntityRetention: () => getEntityRetention,
   getEntityUserIdField: () => getEntityUserIdField,
   getSuperAdminContext: () => getSuperAdminContext,
   parseDuration: () => parseDuration,
+  registerEncryptor: () => registerEncryptor,
+  setEncryptionTenantId: () => setEncryptionTenantId,
   setupRls: () => setupRls,
   setupTenantFilter: () => setupTenantFilter,
   subtractDuration: () => subtractDuration,
+  withEncryptionContext: () => withEncryptionContext,
   wrapEmWithNativeQueryBlocking: () => wrapEmWithNativeQueryBlocking
 });
 module.exports = __toCommonJS(persistence_exports);
@@ -143,7 +147,102 @@ function getAllRetentionPolicies() {
 }
 
 // src/persistence/compliancePropertyBuilder.ts
+var import_core2 = require("@mikro-orm/core");
+
+// src/persistence/encryptedType.ts
+var import_node_async_hooks = require("async_hooks");
 var import_core = require("@mikro-orm/core");
+var ENCRYPTED_PREFIXES = ["v1:", "v2:"];
+function isEncrypted(value) {
+  return ENCRYPTED_PREFIXES.some((p3) => value.startsWith(p3));
+}
+var _encryptor;
+var _tenantContext = new import_node_async_hooks.AsyncLocalStorage();
+function registerEncryptor(encryptor) {
+  _encryptor = encryptor;
+}
+function withEncryptionContext(tenantId, fn) {
+  return _tenantContext.run({ tenantId }, fn);
+}
+function setEncryptionTenantId(tenantId) {
+  _tenantContext.enterWith({ tenantId });
+}
+function getCurrentTenantId() {
+  return _tenantContext.getStore()?.tenantId ?? "";
+}
+var EncryptedType = class extends import_core.Type {
+  originalType;
+  /**
+   * @param originalType - The original JS type hint ('string' | 'json' | 'number' | 'boolean').
+   *                       Used to determine serialization strategy.
+   */
+  constructor(originalType = "string") {
+    super();
+    this.originalType = originalType;
+  }
+  convertToDatabaseValue(value, _platform, _context) {
+    if (value === null || value === void 0) return null;
+    if (typeof value === "string" && value.length === 0) return "";
+    if (!_encryptor) {
+      return this.serializeValue(value);
+    }
+    if (typeof value === "string" && isEncrypted(value)) {
+      return value;
+    }
+    const serialized = this.serializeValue(value);
+    return _encryptor.encrypt(serialized, getCurrentTenantId()) ?? serialized;
+  }
+  convertToJSValue(value, _platform) {
+    if (value === null || value === void 0) return null;
+    if (typeof value !== "string") return value;
+    if (!isEncrypted(value)) {
+      return this.deserializeValue(value);
+    }
+    if (!_encryptor) return value;
+    try {
+      const decrypted = _encryptor.decrypt(value, getCurrentTenantId());
+      if (decrypted === null) return null;
+      return this.deserializeValue(decrypted);
+    } catch {
+      return value;
+    }
+  }
+  getColumnType() {
+    return "text";
+  }
+  get runtimeType() {
+    return this.originalType === "json" ? "object" : this.originalType;
+  }
+  ensureComparable() {
+    return true;
+  }
+  // ---------------------------------------------------------------------------
+  // Serialization helpers
+  // ---------------------------------------------------------------------------
+  serializeValue(value) {
+    if (typeof value === "string") return value;
+    return JSON.stringify(value);
+  }
+  deserializeValue(value) {
+    switch (this.originalType) {
+      case "string":
+        return value;
+      case "number":
+        return Number(value);
+      case "boolean":
+        return value === "true";
+      case "json":
+      default:
+        try {
+          return JSON.parse(value);
+        } catch {
+          return value;
+        }
+    }
+  }
+};
+
+// src/persistence/compliancePropertyBuilder.ts
 function isBuilder(value) {
   return value != null && typeof value === "object" && "~options" in value;
 }
@@ -169,7 +268,34 @@ function wrapUnclassified(builder) {
     }
   });
 }
+var ENCRYPTED_LEVELS = /* @__PURE__ */ new Set(["pii", "phi", "pci"]);
+function detectOriginalType(options) {
+  const type = options.type;
+  if (!type) return "string";
+  let t;
+  if (typeof type === "string") {
+    t = type.toLowerCase();
+  } else if (typeof type === "object" && type !== null) {
+    const rt = type.runtimeType;
+    t = rt ?? type.constructor?.name?.toLowerCase() ?? "string";
+  } else {
+    return "string";
+  }
+  if (t.includes("json") || t === "object") return "json";
+  if (t.includes("int") || t === "number" || t === "double" || t === "float" || t === "decimal" || t === "smallint" || t === "tinyint") return "number";
+  if (t === "boolean" || t === "bool") return "boolean";
+  return "string";
+}
 function wrapClassified(builder, level) {
+  if (ENCRYPTED_LEVELS.has(level)) {
+    const options = builder["~options"];
+    if (options) {
+      const originalType = detectOriginalType(options);
+      options.type = new EncryptedType(originalType);
+      options.columnType = "text";
+      options.runtimeType = originalType === "json" ? "object" : originalType;
+    }
+  }
   return new Proxy(builder, {
     get(target, prop) {
       if (prop === COMPLIANCE_KEY) return level;
@@ -201,7 +327,7 @@ var RELATION_METHODS = /* @__PURE__ */ new Set([
 function isRelationMethod(prop) {
   return typeof prop === "string" && RELATION_METHODS.has(prop);
 }
-var fp = new Proxy(import_core.p, {
+var fp = new Proxy(import_core2.p, {
   get(target, prop) {
     const value = Reflect.get(target, prop, target);
     if (typeof value !== "function") return value;
@@ -225,7 +351,7 @@ var fp = new Proxy(import_core.p, {
 });
 
 // src/persistence/defineComplianceEntity.ts
-var import_core2 = require("@mikro-orm/core");
+var import_core3 = require("@mikro-orm/core");
 function readComplianceLevel(builder) {
   if (builder == null || typeof builder !== "object") return void 0;
   return builder[COMPLIANCE_KEY];
@@ -234,7 +360,7 @@ function defineComplianceEntity(meta) {
   const entityName = "name" in meta ? meta.name : "Unknown";
   const complianceFields = /* @__PURE__ */ new Map();
   const rawProperties = meta.properties;
-  const resolvedProperties = typeof rawProperties === "function" ? rawProperties(import_core2.p) : rawProperties;
+  const resolvedProperties = typeof rawProperties === "function" ? rawProperties(import_core3.p) : rawProperties;
   for (const [fieldName, rawProp] of Object.entries(resolvedProperties)) {
     if (typeof rawProp === "function") {
       complianceFields.set(fieldName, "none");
@@ -261,7 +387,7 @@ function defineComplianceEntity(meta) {
   if (meta.userIdField) {
     registerEntityUserIdField(entityName, meta.userIdField);
   }
-  return (0, import_core2.defineEntity)(
+  return (0, import_core3.defineEntity)(
     meta
   );
 }
@@ -308,12 +434,23 @@ var FieldEncryptor = class {
       import_crypto.default.hkdfSync(HKDF_HASH, this.masterKey, HKDF_SALT, tenantId, KEY_BYTES)
     );
   }
+  /**
+   * Derive a deterministic IV from the key and plaintext using HMAC-SHA256,
+   * truncated to IV_BYTES. Same plaintext + same key → same IV → same
+   * ciphertext. This enables WHERE clause matching on encrypted columns
+   * while maintaining AES-256-GCM authenticated encryption.
+   *
+   * Meets SOC 2, HIPAA, PCI DSS, GDPR requirements for encryption at rest.
+   */
+  deriveDeterministicIv(key, plaintext) {
+    return import_crypto.default.createHmac("sha256", key).update(plaintext).digest().subarray(0, IV_BYTES);
+  }
   encrypt(plaintext, tenantId) {
     if (plaintext === null || plaintext === void 0) {
       return null;
     }
     const key = this.deriveKey(tenantId ?? "");
-    const iv = import_crypto.default.randomBytes(IV_BYTES);
+    const iv = this.deriveDeterministicIv(key, plaintext);
     const cipher = import_crypto.default.createCipheriv(ALGORITHM, key, iv);
     const encrypted = Buffer.concat([
       cipher.update(plaintext, "utf8"),
@@ -321,7 +458,7 @@ var FieldEncryptor = class {
     ]);
     const authTag = cipher.getAuthTag();
     return [
-      "v1",
+      "v2",
       iv.toString("base64"),
       authTag.toString("base64"),
       encrypted.toString("base64")
@@ -332,7 +469,7 @@ var FieldEncryptor = class {
       return null;
     }
     const parts = ciphertext.split(":");
-    if (parts.length !== 4 || parts[0] !== "v1") {
+    if (parts.length !== 4 || parts[0] !== "v1" && parts[0] !== "v2") {
       throw new DecryptionError(
         `Unknown ciphertext version or malformed format`
       );
@@ -357,85 +494,7 @@ var FieldEncryptor = class {
 };
 
 // src/persistence/complianceEventSubscriber.ts
-var ENCRYPTED_PREFIX = "v1:";
-var ENCRYPTED_LEVELS = /* @__PURE__ */ new Set(["pii", "phi", "pci"]);
-var ComplianceEventSubscriber = class {
-  encryptor;
-  constructor(encryptor) {
-    this.encryptor = encryptor;
-  }
-  async beforeCreate(args) {
-    this.encryptFields(args);
-  }
-  async beforeUpdate(args) {
-    this.encryptFields(args);
-  }
-  async onLoad(args) {
-    this.decryptFields(args);
-  }
-  // ---------------------------------------------------------------------------
-  // Encrypt on persist
-  // ---------------------------------------------------------------------------
-  encryptFields(args) {
-    const entityName = args.meta.className;
-    const complianceFields = getEntityComplianceFields(entityName);
-    if (!complianceFields) return;
-    const tenantId = this.getTenantId(args.em);
-    const entity = args.entity;
-    for (const [fieldName, level] of complianceFields) {
-      if (!ENCRYPTED_LEVELS.has(level)) continue;
-      const value = entity[fieldName];
-      if (value === null || value === void 0) continue;
-      if (typeof value !== "string") continue;
-      if (value.startsWith(ENCRYPTED_PREFIX)) continue;
-      entity[fieldName] = this.encryptor.encrypt(value, tenantId ?? "");
-    }
-  }
-  // ---------------------------------------------------------------------------
-  // Decrypt on load
-  // ---------------------------------------------------------------------------
-  decryptFields(args) {
-    const entityName = args.meta.className;
-    const complianceFields = getEntityComplianceFields(entityName);
-    if (!complianceFields) return;
-    const tenantId = this.getTenantId(args.em);
-    const entity = args.entity;
-    for (const [fieldName, level] of complianceFields) {
-      if (!ENCRYPTED_LEVELS.has(level)) continue;
-      const value = entity[fieldName];
-      if (value === null || value === void 0) continue;
-      if (typeof value !== "string") continue;
-      if (value.startsWith(ENCRYPTED_PREFIX)) {
-        try {
-          entity[fieldName] = this.encryptor.decrypt(value, tenantId ?? "");
-        } catch (err) {
-          if (err instanceof DecryptionError) {
-            throw new DecryptionError(
-              `Failed to decrypt ${entityName}.${fieldName}: ${err.message}`
-            );
-          }
-          throw err;
-        }
-      } else {
-        console.warn(
-          `[compliance] ${entityName}.${fieldName} contains unencrypted ${level} data. Run encryption migration to encrypt existing data.`
-        );
-      }
-    }
-  }
-  // ---------------------------------------------------------------------------
-  // Tenant ID resolution
-  // ---------------------------------------------------------------------------
-  /**
-   * Read the tenant ID from the EntityManager's filter parameters.
-   * Returns undefined when no tenant context is set (startup, seeders,
-   * better-auth). Callers skip encryption/decryption in that case.
-   */
-  getTenantId(em) {
-    const filters = em.getFilterParams("tenant");
-    return filters?.tenantId;
-  }
-};
+var ENCRYPTED_LEVELS2 = /* @__PURE__ */ new Set(["pii", "phi", "pci"]);
 function wrapEmWithNativeQueryBlocking(em) {
   const BLOCKED_METHODS = [
     "nativeInsert",
@@ -451,7 +510,7 @@ function wrapEmWithNativeQueryBlocking(em) {
             const fields = getEntityComplianceFields(entityName);
             if (fields) {
               for (const [fieldName, level] of fields) {
-                if (ENCRYPTED_LEVELS.has(level)) {
+                if (ENCRYPTED_LEVELS2.has(level)) {
                   throw new EncryptionRequiredError(
                     `${prop}() blocked on entity '${entityName}' because field '${fieldName}' has compliance level '${level}'. Use em.create() + em.flush() instead to ensure encryption.`
                   );
@@ -624,9 +683,9 @@ function escapeSqlString(value) {
 }
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
-  ComplianceEventSubscriber,
   ComplianceLevel,
   DecryptionError,
+  EncryptedType,
   EncryptionRequiredError,
   FieldEncryptor,
   MissingEncryptionKeyError,
@@ -641,14 +700,18 @@ function escapeSqlString(value) {
   getAllRetentionPolicies,
   getAllUserIdFields,
   getComplianceMetadata,
+  getCurrentTenantId,
   getEntityComplianceFields,
   getEntityRetention,
   getEntityUserIdField,
   getSuperAdminContext,
   parseDuration,
+  registerEncryptor,
+  setEncryptionTenantId,
   setupRls,
   setupTenantFilter,
   subtractDuration,
+  withEncryptionContext,
   wrapEmWithNativeQueryBlocking
 });
 //# sourceMappingURL=index.js.map